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1.  Introduction 

Deductive  systems,  given  via  axioms  and  rules  of  inference,  are  a  common  con¬ 
ceptual  tool  in  mathematical  logic  and  computer  science.  They  are  used  to  specify 
many  varieties  of  logics  and  logical  theories  as  well  as  aspects  of  programming 
languages  such  as  type  systems  or  operational  semantics.  A  logical  framework  is 
a  meta-language  for  the  specification  of  deductive  systems.  A  number  of  different 
frameworks  have  been  proposed  and  implemented  for  a  variety  of  purposes.  In  addi¬ 
tion,  general  reasoning  systems  have  been  used  to  study  deductions  as  mathematical 
objects,  without  specific  support  for  the  domain  of  deductive  systems. 

In  this  chapter  we  highlight  the  major  themes,  concepts,  and  design  choices  for 
logical  frameworks  and  provide  pointers  to  the  literature  for  further  reading.  We 
concentrate  on  systems  designed  specifically  as  frameworks  and  among  them  on 
those  most  immediately  based  on  deduction:  hereditary  Harrop  formulas  (imple¬ 
mented  in  AProlog  and  Isabelle)  and  the  LF  type  theory  (implemented  in  Elf) .  We 
briefly  mention  other  approaches  below  and  discuss  them  in  more  detail  in  Section  8. 

Logical  frameworks  are  subject  to  the  same  general  design  principles  as  other 
specification  and  programming  languages.  They  should  be  simple  and  uniform, 
providing  concise  means  to  express  the  concepts  and  methods  of  the  intended  ap¬ 
plication  domains.  Meaningless  expressions  should  be  detected  statically  and  it 
should  be  possible  to  structure  large  specifications  and  verify  that  the  components 
fit  together.  There  are  also  concerns  specific  to  logical  frameworks.  Perhaps  most 
importantly,  an  implementation  must  be  able  to  check  deductions  for  validity  with 
respect  to  the  specification  of  a  deductive  system.  Secondly,  it  should  be  feasible  to 
prove  (informally)  that  the  representations  of  deductive  systems  in  the  framework 
are  adequate  so  that  we  can  trust  formal  derivations.  We  return  to  each  of  these 
points  when  we  discuss  different  design  choices  for  logical  frameworks. 

Historically,  the  first  logical  framework  was  Automath  [de  Bruijn  1968,  de  Bruijn 
1980,  Nederpelt,  Geuvers  and  de  Vrijer  1994]  and  its  various  languages,  developed 
during  the  late  sixties  and  early  seventies.  The  goal  of  the  Automath  project  was 
to  provide  a  tool  for  the  formalization  of  mathematics  without  foundational  prej¬ 
udice.  Therefore,  the  logic  underlying  a  particular  mathematical  development  was 
an  integral  part  of  its  formalization.  Many  of  the  ideas  from  the  Automath  lan¬ 
guage  family  have  found  their  way  into  modern  systems.  The  main  experiment 
conducted  within  Automath  was  the  formalization  of  Landau’s  Foundations  of 
Analysis  [Jutting  1977].  In  the  early  eighties  the  importance  of  constructive  type 
theories  for  computer  science  was  recognized  through  the  pioneering  work  of  Martin- 
Lof  [Martin-Lof  1980,  Martin-Lof  1985a,  Martin-Lof  19856].  On  the  one  hand,  this 
led  to  a  number  of  systems  for  constructive  mathematics  and  the  extraction  of 
functional  programs  from  constructive  proofs  (beginning  with  Petersson’s  imple¬ 
mentation  [Petersson  1982],  followed  by  Nuprl  [Nuprl  1999,  Constable  et  al.  1986], 
Coq  [Coq  1999,  Dowek,  Felty,  Herbelin,  Huet,  Murthy,  Parent,  Paulin-Mohring  and 
Werner  1993],  PX  [Hayashi  and  Nakano  1988],  and  LEGO  [LEGO  1998,  Luo  and 
Pollack  1992,  Pollack  1994]).  On  the  other  hand,  it  strongly  influenced  the  design 
of  LF  [Harper,  Honsell  and  Plotkin  1987,  Harper,  Honsell  and  Plotkin  1993],  some- 
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times  called  the  Edinburgh  Logical  Framework  (ELF).  Concurrent  with  the  devel¬ 
opment  of  LF,  frameworks  based  on  higher-order  logic  and  resolution  were  designed 
in  the  form  of  generic  theorem  provers  [Paulson  1986,  Paulson  1989,  Nipkow  and 
Paulson  1992]  and  logic  programming  languages  [Nadathur  and  Miller  1988,  Miller, 
Nadathur,  Pfenning  and  Scedrov  1991].  The  type-theoretic  and  logic  programming 
approaches  were  later  combined  in  the  Elf  language  [Pfenning  1989,  Pfenning 
1991a].  At  this  point,  there  was  a  pause  in  the  development  of  new  frame¬ 
works,  while  the  potential  and  limitations  of  existing  systems  were  explored  in 
numerous  experiments  (see  Section  8.3).  The  mid-nineties  saw  renewed  activ¬ 
ity  with  implementations  of  frameworks  based  on  inductive  definitions  such  as 
FSo  [Feferman  1988,  Matthews,  Smaill  and  Basin  1993,  Basin  and  Matthews  1996] 
and  ALF  [Nordstrom  1993,  Altenkirch,  Gaspes,  Nordstrom  and  von  Sydow  1994], 
partial  inductive  definitions  [Hallnas  1991,  Eriksson  1993a,  Eriksson  1994],  sub- 
structural  frameworks  [Schroeder-Heister  1991,  Girard  1993,  Miller  1994,  Cervesato 
and  Pfenning  1996,  Cervesato  1996],  rewriting  logic  [Marti-Oliet  and  Meseguer 
1993,  Borovansky,  Kirchner,  Kirchner,  Moreau  and  Ringeissen  1998],  and  labelled 
deductive  systems  [Gabbay  1994,  Basin,  Matthews  and  Vigano  1998,  Gabbay  1996]. 
A  full  discussion  of  these  is  beyond  the  scope  of  this  chapter — the  reader  can  find 
some  brief  remarks  in  Section  8. 

Some  researchers  distinguish  between  logical  frameworks  and  meta-logical  frame¬ 
works  [Basin  and  Constable  1993],  where  the  latter  is  intended  as  a  meta-language 
for  reasoning  about  deductive  systems  rather  than  within  them.  Clearly,  any  meta- 
logical  framework  must  also  provide  means  for  specifying  deductive  systems,  though 
with  different  goals.  We  therefore  consider  them  here  and  discuss  issues  related 
to  meta-theoretic  reasoning  in  Section  5.  Systems  not  based  on  type  theory  are 
sometimes  called  general  logics.  We  do  not  attempt  to  delineate  precisely  what 
characterizes  general  logics  as  a  special  case  of  logical  frameworks,  but  we  point 
out  some  methodological  differences  between  approaches  rooted  in  type  theory  and 
logic  throughout  this  chapter.  They  are  summarized  in  Section  8. 

The  remainder  of  this  chapter  follows  the  tasks  which  arise  in  a  typical  applica¬ 
tion  of  a  logical  framework:  specification ,  search ,  and  meta-theory .  As  an  example 
we  pick  a  fragment  of  predicate  logic.  In  Section  2  we  introduce  techniques  for  the 
representation  of  formulas  and  other  expressions  of  a  given  object  logic.  Section  3 
treats  the  representation  of  judgments  and  legal  deductions.  These  two  sections 
therefore  illustrate  how  logical  frameworks  support  specification  of  deductive  sys¬ 
tems.  Section  4  sketches  generic  principles  underlying  proof  search  and  how  they 
are  realized  in  logical  frameworks.  It  therefore  covers  reasoning  within  deductive 
systems.  Section  5  discusses  approaches  for  formal  reasoning  about  the  properties 
of  logical  systems.  Sections  6  and  7  summarize  the  formal  definitions  underlying  the 
frameworks  under  consideration  in  this  chapter.  We  conclude  with  remarks  about 
current  lines  of  research  and  applications  in  Section  8. 
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2.  Abstract  syntax 


The  specification  of  a  deductive  system  usually  proceeds  in  two  stages:  first  we  define 
the  syntax  of  an  object  language  and  then  the  axioms  and  rules  of  inference.  In  order 
to  concentrate  on  the  meanings  of  expressions  we  ignore  issues  of  concrete  syntax 
and  parsing  and  concentrate  on  specifying  abstract  syntax.  Different  framework 
implementations  provide  different  means  for  customizing  the  parser  in  order  to 
embed  the  desired  object-language  syntax. 

As  an  example  throughout  this  chapter  we  consider  formulations  of  intuitionis- 
tic  and  classical  first-order  logic.  In  order  to  keep  this  chapter  to  a  manageable 
length,  we  restrict  ourselves  to  the  fragment  containing  implication,  negation,  and 
universal  quantification.  The  reader  is  invited  to  test  his  or  her  understanding 
by  extending  the  development  to  include  a  more  complete  set  of  connectives  and 
quantifiers.  Representations  of  first-order  intuitionistic  and  classical  logic  in  vari¬ 
ous  logical  frameworks  can  be  found  in  the  literature  (see,  for  example,  [Felty  and 
Miller  1988,  Paulson  1990,  Harper  et  al.  1993,  Pfenning  2001]). 

Our  fragment  of  first-order  logic  is  constructed  from  individual  variables,  func¬ 
tion  symbols,  and  predicate  symbols  in  the  usual  way.  We  assume  each  function 
and  predicate  symbol  has  a  unique  arity,  indicated  by  a  superscript,  but  generally 
omitted  since  it  will  be  clear  from  the  context.  Individual  constants  are  function 
symbols  of  arity  0  and  propositional  constants  are  predicate  symbols  of  arity  0. 


Function  symbols  fk 
Predicate  symbols  pk 


Variables  x 

Terms  t 

Atoms  P 

Formulas  A 


X  I  fk(tl,...,tk) 

pk(tl,...,tk ) 
P\AiDA2\^A\Vx.A 


We  assume  that  there  is  an  infinite  number  of  variables  x.  The  set  of  function 
and  predicate  symbols  is  left  unspecified  in  the  general  development  of  logic.  We 
therefore  view  our  specification  as  open-ended.  A  commitment,  say,  to  arithmetic 
would  fix  the  available  function  and  predicate  symbols.  We  write  x  and  y  for  vari¬ 
ables,  t  and  s  for  terms,  and  A,  B ,  and  C  for  formulas.  There  are  some  important 
operations  on  terms  and  formulas  required  for  the  presentation  of  inference  rules. 
Specifically,  we  need  the  notions  of  free  and  bound  variable,  the  renaming  of  bound 
variables,  and  the  operations  of  substitution  [t/x]s  and  [t/x]A,  where  the  latter 
may  need  to  rename  variables  bound  in  A  in  order  to  avoid  variable  capture.  We 
assume  that  these  operations  are  understood  and  do  not  define  them  formally.  An 
assumption  generally  made  in  connection  with  variable  names  is  the  so-called  vari¬ 
able  convention  [Barendregt  1980]  (which  goes  back  to  Church  and  Rosser  [Church 
and  Rosser  1936])  which  states  that  expressions  differing  only  in  the  names  of 
their  bound  variables  are  considered  identical.  We  examine  to  which  extent  various 
frameworks  support  this  convention. 
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2.1.  Uni-typed  representations 


As  the  archetypical  untyped  representation  language  we  choose  first-order  terms 
themselves.  Actually,  it  is  more  appropriate  to  think  of  it  as  a  uni-typed  language, 
that  is,  a  language  with  a  single  type  of  individuals.  For  each  function  symbol  /  we 
have  a  corresponding  function  symbol  C/  of  the  same  arity  in  the  representation. 
Similarly,  each  predicate  symbol  p  is  represented  by  a  constant  cp.  The  represen¬ 
tation  of  variables  is  more  complex,  since  there  are  infinitely  many  of  them.  For 
simplicity,  we  assume  variables  are  enumerated  and  the  nth  variable  xn  is  repre¬ 
sented  by  var(n),  where  the  natural  numbers  n  are  either  meta-language  constants 
or  constructed  from  constants  for  zero  and  successor.  We  write  r— n  for  the  repre¬ 
sentation  function  which  maps  expressions  of  an  object  language  to  objects  in  the 
meta-language.  We  use  sans-serif  font  for  constants  in  various  logical  frameworks 
we  consider. 


rpk{tu...,tky 
rA  D  Bn 
r-vT 
rVx. 


var(n) 

c )(rtiV-.,lV) 

impr^V^) 

not  (rAn) 
forall(rxn,  rA~]) 


However,  our  task  is  not  yet  complete:  we  need  to  be  able  to  check,  for  example, 
if  a  given  meta-language  term  represents  a  formula.  For  this  we  use  Horn  clauses 
to  axiomatize  the  atomic  proposition  formula(f)  which  expresses  that  the  meta¬ 
language  term  t  represents  a  formula  of  the  object  language.  This  requires  several 
auxiliary  predicates  to  recognize  representations  of  variables  and  terms.  The  spec¬ 
ification  below  is  effective  in  the  sense  that  it  can  be  executed  in  pure  Prolog  to 
check  if  a  given  term  represents  a  well-formed  formula.  For  our  purposes,  we  think 
of  Horn  clauses  as  generated  by  the  following  grammar. 


Horn  clauses  D  ::=  P  |  T  |  Dx  A  D2  \  Pi  A  . . .  A  Pn  D  P  |  Vx.  D 


where  P  stands  for  atomic  propositions  and  T  stands  for  the  true  proposition.  We 
refer  to  a  collection  of  closed  Horn  clauses  as  a  Horn  theory  and  write  T  ^  P  if 
the  Horn  theory  T  entails  P.  Natural  numbers  are  represented  in  unary  form  with 
z  representing  0  and  s  representing  the  successor  function. 
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nat(z) 

Vn.  nat(n)  3  nat(s(n)) 

Vn.  nat(n)  3  variabie(var(n)) 

Vt.  variable(t)  3  term(t) 

VA.  VB.formula(A)  A  formula(5)  3  formula(imp(A,  B)) 

VA.  formula(A)  3  formula(not(A)) 

Vz.  VA.  variable(x)  Aformula(A)  3  formula(forall(x,  A)) 

We  have  to  add  clauses  for  particular  function  and  predicate  symbols.  For  example, 
if  an  equality  predicate  eq2  is  available  in  the  object  logic,  we  add  the  clause 

Vr.  Vt/.  term  (a;)  A  term(y)  3  formula(eq(x,  y)) 

Arities  of  the  function  symbols  and  predicates  are  thus  built  into  the  representation. 
A  drawback  with  this  and  related  first-order,  uni-typed  methods  is  that  we  have  to 
prove  formula(t)  to  verify  that  t  represents  a  formula  of  the  object  language;  it  is 
an  external  rather  than  an  internal  property  of  the  representation.  More  precisely, 
if  we  denote  the  theory  above  by  F,  then  we  have  the  following  representation 
theorem. 

2.1.  Theorem  (Adequacy). 

1.  F  variable(t')  ifft '  =  rxnn  for  a  variable  xn. 

2.  F  ¥  term(t')  ifftf  =  rt~[  for  a  term  t. 

3.  F  ^  formula(t')  ifft'  =  rAn  for  a  formula  A. 

Proof.  In  one  direction  this  follows  by  an  easy  induction  on  n  and  the  structure 
of  t  and  A. 

In  the  other  direction  we  need  a  deep  semantic  or  proof-theoretic  understanding 
of  Horn  logic.  For  example,  we  use  the  structure  of  the  least  Herbrand  model,  or 
we  can  take  advantage  of  the  fact  that  a  Horn  theory  inductively  defines  its  atomic 
predicates.  □ 

Adequacy  theorems  play  a  critical  role  in  logical  frameworks.  They  guarantee 
that  we  can  translate  expressions  from  the  object  language  to  objects  in  the  meta¬ 
language,  compute  with  them,  and  then  interpret  the  results  back  in  the  object 
language.  This  will  be  particularly  important  when  we  consider  the  adequacy  of  the 
encoding  of  inference  rules  (Theorem  3.1)  and  deductions  (Theorem  3.2),  because 
they  ensure  that  formal  reasoning  in  the  logical  framework  is  correct  with  respect 
to  the  object  logic  under  consideration.  Generally,  we  would  like  the  representation 
function  to  be  a  bijection,  but  this  is  not  always  necessary  as  long  as  we  can  translate 
safely  in  both  directions. 
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For  the  particular  adequacy  theorem  above  it  is  irrelevant  whether  the  proposi¬ 
tions  of  the  meta-logic  are  interpreted  classically  or  intuit ionistically,  since  classical 
and  intuitionistic  provability  coincide  on  Horn  clauses.  We  can  also  view  a  fixed 
set  of  Horn  clauses  as  an  inductive  definition  of  the  atomic  predicates  involved. 
In  our  example,  the  predicates  nat,  variable,  term,  and  formula  are  all  inductively 
defined  by  the  clauses  given  above.  The  fact  that  Horn  clauses  allow  such  diverse 
interpretations  is  one  reason  why  they  constitute  a  stable  and  frequently  used  basis 
for  logical  frameworks. 

The  first-order  representation  above  does  not  support  the  variable  conven¬ 
tion:  renaming  of  bound  variables  must  be  implemented  explicitly.  For  example, 
the  representations  of  Vxi.p(xi)  and  Vx3.p(xs)  are  not  identified  in  the  meta¬ 
language.  Instead  we  can  define  a  binary  predicate  id  such  that  id(Ai,  A2)  holds 
iff  A\  and  A 2  represent  formulas  which  differ  only  in  the  names  of  their  bound 
variables.  The  technique  of  de  Bruijn  indices  [de  Bruijn  1972]  eliminates  this 
shortcoming  without  requiring  a  change  in  the  expressive  power  of  the  meta¬ 
language.  There,  a  variable  is  represented  by  a  natural  number  n,  which  indi¬ 
cates  that  the  variable  is  bound  by  the  nth  enclosing  abstraction.  For  example, 
Wx\.  Vx5.p(xs)  D  p{x\)  and  all  alphabetic  variants  of  it  would  be  represented  as 
forall  (forall  (imp(p(var(l)),  p(var(2))))).  De  Bruijn  indices  have  been  employed  as 
the  basic  representation  for  many  implementation  and  verification  efforts  for  de¬ 
ductive  systems  (see,  for  example,  [de  Bruijn  1972,  Shankar  1988]). 


2.2.  Simply-typed  representation 

A  standard  method  for  transforming  an  external  validity  condition  (given  here  by  a 
Horn  theory)  into  an  internal  property  of  the  representation  is  to  introduce  types. 
By  designing  the  type  system  so  that  type  checking  is  decidable,  we  turn  a  dynamic 
property  into  a  static  property.  We  begin  with  simple  types.  The  idea  is  to  introduce 
type  constants  i  and  o  for  object-level  terms  and  formulas,  respectively.  Implication, 
for  example,  is  then  represented  by  a  constant  of  type  0  -»  (o  -»  o),  that  is, 
a  formula  constructor  taking  two  formulas  as  arguments  employing  the  standard 
technique  of  Currying.  This  idea  can  be  directly  applied  to  the  representation  in  the 
previous  section  if  we  also  introduce  a  type  constant  for  variables.  We  can  improve 
upon  this  by  enriching  the  representation  language  to  include  higher-order  terms, 
which  leads  us  to  the  simply- typed  A-calculus,  A~\  We  briefly  summarize  it  here; 
for  more  complete  discussion,  see  Section  6. 

Types  A  a  |  A\  A2 

Objects  M  c  |  x  |  Arc:  A  M  |  M\  M2 

We  use  a  to  range  over  type  constants,  c  over  object  constants,  and  x  over  object 
variables.  We  follow  the  usual  syntactic  conventions:  — >  associates  to  the  right, 
and  application  to  the  left.  Parentheses  group  subexpressions,  and  the  scope  of  a 
A-abstraction  extends  to  the  innermost  enclosing  parentheses  or  to  the  end  of  the 
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expression.  We  allow  tacit  a-conversion  (renaming  of  bound  variables)  and  write 
[M/x]N  for  capture-avoiding  substitution  of  M  for  x  in  N.  Constants  and  variables 
are  declared  and  assigned  types  in  a  signature  £  and  context  T,  respectively.  Neither 
is  permitted  to  declare  constants  or  variables  more  than  once. 

Using  the  simply-typed  A-calculus  A as  a  representation  language  requires  us 
to  distinguish  between  arbitrary  well-typed  objects  and  canonical  forms.  Canonical 
forms  directly  represent  object-language  entities,  while  the  meaning  of  arbitrary 
well-typed  objects  is  computed  by  converting  them  to  canonical  form.  This  is  similar 
to  most  programming  languages  where  values  represent  data  and  the  meaning  of 
an  expression  is  determined  by  evaluation.  This  point  of  view  leads  to  the  following 
principal  judgments.  They  are  parameterized  by  a  signature  £  that  declares  type 
and  object  constants  and  a  context  T  that  declares  the  type  of  variables  free  in  M 
and  Mf. 


T  h x  M  :  A  M  is  an  object  of  type  A 

T  M'  ft  A  Mf  is  a  canonical  object  of  type  A 

rhsMtr  Mf  :  A  M  has  canonical  form  M'  at  type  A 

The  formal  definition  of  the  language  and  these  judgments  can  be  found  in  Sec¬ 
tion  6.  The  appropriate  notion  for  canonical  forms  are  long  /^-normal  forms,  that 
is,  f3- reduced  and  ^-expanded  objects.  Given  a  syntactic  category  in  the  object 
language  and  its  representation  type  A ,  canonical  forms  of  type  A  are  in  bijective 
correspondence  with  object-language  expressions  in  the  appropriate  syntactic  cate¬ 
gory  (see  Theorem  2.2  and  the  subsequent  discussion).  Since  every  valid  object  has 
a  unique  type  and  canonical  form  (see  Theorem  6.1),  the  meaning  of  an  arbitrary 
valid  object  is  unambiguously  determined. 

Two  objects  are  definitionally  equal  if  they  have  the  same  canonical  form. 

T  !-£  M  =  N  :  A  M  is  definitionally  equal  to  N  at  type  A. 

This  is  equivalent  to  stipulating  that  two  objects  are  definitionally  equal  if  they 
can  be  transformed  into  each  other  by  (3-  and  77- conversion.  Since  canonical  forms 
depend  on  types,  definitional  equality  also  depends  on  types,  although  we  some¬ 
times  abbreviate  it  as  M  =  IV.  Formulations  of  typed  A-calculi  as  the  foundation 
for  functional  programming  normally  do  not  include  77-conversion,  since  it  does  not 
preserve  observational  equivalence  under  the  usual  operational  semantics.  For  ex¬ 
ample,  the  Pure  Type  Systems  reviewed  in  Chapter  XXII  typically  do  not  include 
77-conversion. 

Returning  to  the  representation  of  first-order  logic,  we  introduce  two  declarations 

i  :  type 
0  :  type 

for  the  types  of  representations  of  terms  and  formulas,  respectively.  For  every  func¬ 
tion  symbol  /  of  arity  fc,  we  add  a  corresponding  declaration 
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f  :  j  _> - >  i  — >  i. 

v - ^ - / 

k 

One  of  the  central  ideas  in  using  a  A-calculus  for  representation  is  to  represent 
object-language  variables  by  meta-language  variables.  Through  A- abstract  ion  at  the 
meta-level  we  can  properly  delineate  the  scopes  of  variables  bound  in  the  object 
language.  For  simplicity,  we  give  corresponding  variables  the  same  name  in  the  two 
languages. 

rxn  —  x 

r/(ti  =  f  r«r...rt*n 

Predicate  symbols  are  dealt  with  like  function  symbols.  We  add  a  declaration 
p  :  i  - >  i  ->o 

k 

for  every  predicate  symbol  p  of  arity  k.  Here  are  the  remaining  cases  of  the  repre¬ 
sentation  function. 


rp{ti,...,tky 

=  P  rt1''...'V 

rAk  3  Af 

=  imp  rj4in  rA2~' 

imp 

o  — * y  o  o 

"I 

J 

j 

—  not  rAn 

not 

o  — >  0 

^x.A1 

=  forall  (Ax:i.  rAn) 

forall 

(i  ->  o)  -*  o 

The  last  case  in  the  definition  introduces  the  concept  of  higher-order  abstract  syntax . 
If  we  represent  variables  of  the  object  language  by  variables  in  the  meta-language, 
then  variables  bound  by  a  construct  in  the  object  language  must  be  bound  in  the 
representation  as  well.  The  simply-typed  A-calculus  has  a  single  binding  operator  A, 
so  all  variable  binding  is  mapped  to  binding  by  A.  This  idea  goes  back  to  Church’s 
formulation  of  classical  type  theory  (see  Chapter  XIII)  and  Martin-Lbf’s  system 
of  arities  [Nordstrom,  Petersson  and  Smith  1990].  In  programming  environments 
this  was  proposed  by  Huet  and  Lang  [1978]  and  developed  further  by  Pfenning  and 
Elliott  [1988]. 

This  leads  to  the  first  important  representation  principle  of  logical  frameworks 
employing  higher-order  abstract  syntax:  Bound  variable  renaming  in  the  object  lan¬ 
guage  is  modeled  by  a -conversion  in  the  meta-language.  Since  we  follow  the  variable 
convention  in  the  meta-language,  the  variable  convention  in  the  object  language  is 
automatically  supported  in  a  framework  using  the  representation  technique  above. 
Consequently,  it  cannot  be  used  directly  for  binding  operators  for  which  renaming  is 
not  valid  such  as  occur,  for  example,  in  module  systems  of  programming  languages. 

The  variable  binding  constructor  “V”  of  the  object  language  is  translated  into  a 
second-order  constructor  forall  in  the  meta-language,  since  delineating  the  scope  of 
x  introduces  a  function  (Xx:\.  rAn)  of  type  i  — >•  o.  What  does  it  mean  to  apply  this 
function?  This  question  leads  to  the  concept  of  compositionality ,  a  crucial  property 
of  higher-order  abstract  syntax.  First  we  note  that 

(Ax:i.r>T)rr=  [rr/x]rAn} 
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since  /^-conversion  is  an  admissible  rule  for  definitional  equality.  We  can  further 
prove  (by  a  simple  induction)  that 

[rr/x]rA^  =  r[t/x}A1. 

Here,  substitution  (both  at  the  object  and  met  a- level)  are  defined  to  rename  bound 
variables  as  necessary  in  order  to  avoid  the  capturing  of  variables  free  in  t.  Com- 
positionality  also  plays  a  very  important  role  in  the  representation  of  deductions 
in  Section  3;  we  summarize  it  as:  Substitution  in  the  object  language  is  modeled  by 
ft -reduction  in  the  meta-language . 

The  declarations  of  the  basic  constants  above  are  open-ended  in  the  sense  that  we 
can  always  add  further  constants  without  destroying  the  validity  of  earlier  represen¬ 
tations.  In  logic  programming,  this  is  called  the  open- world  assumption.  However, 
the  definition  also  has  an  inductive  character  in  the  sense  that  the  validity  judgment 
of  the  meta-language  (A“* ,  in  this  case)  is  defined  inductively  by  some  axioms  and 
rules  of  inference.  Therefore  we  can  state  and  prove  that  there  is  a  compositional 
bijection  between  well-formed  formulas  and  canonical  objects  of  type  o.  Since  a 
term  or  formula  may  have  free  individual  variables,  and  they  are  represented  by 
corresponding  variables  in  the  meta-language,  we  must  take  care  to  declare  them 
with  their  proper  types  in  the  meta-language  context.  We  refer  to  the  particular 
signature  with  the  declarations  for  term  and  formula  constructors  as  F. 

2.2.  Theorem  (Adequacy). 

1.  We  have 

Xi:i, .  M  ft  i  iff  M  =  rt~1, 

where  the  free  variables  of  term  t  are  among  . . .  ,xn. 

2 .  We  have 

xi:i, . .  *,xn:\  M  If  o  iff  M  —  rAn, 

where  the  free  variables  of  formula  A  are  among  ari, . . . ,  xn. 

3.  The  representation  function  r-n  is  a  compositional  bijection  in  the  sense  that 

[rr/x]rs~1  =  r[t/x]s'1  and  [rV/x\rA^  =  r[t/x)A^ 

Proof.  In  one  direction  we  proceed  by  an  easy  induction  on  the  structure  of  terms 
and  formulas.  Compositionality  can  also  be  established  directly  by  an  induction  on 
the  structure  of  s  and  A,  respectively. 

In  the  other  direction  we  carry  out  an  induction  over  the  structure  of  the  deriva¬ 
tions  of  M  jf  i  and  M  ft  o.  To  prove  that  the  representation  function  is  a  bijection, 
we  write  down  its  inverse  on  canonical  forms  and  prove  that  both  compositions  are 
identity  functions.  □ 

An  important  aspect  of  this  theorem  is  that  it  establishes  a  bijection  between 
canonical  forms  of  a  given  type  (i  and  o)  and  the  object-language  entities  we  are 
trying  to  represent  (terms  and  formulas,  respectively).  It  is  clear  that  not  every 
well-typed  object  of  type  i  or  o  lies  in  the  image  of  the  representation  function. 
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The  next  two  examples  show  that  canonical  forms  and  not  just  /3-normal  forms  are 
actually  required.  We  assume  we  have  one  unary  predicate  p  and  a  corresponding 
constant  p:i  — >  o. 

h  forall  (Ami.  ((Xq:o.  q)  (px)))  :  o 
b  forall  p  :  o 

Both  of  these  object  have  type  o  but  are  not  in  the  image  of  the  representation 
function  r— n.  Their  meaning  can  be  determined  by  conversion  to  canonical  form. 
We  calculate 


b  forall  (Ami.  ((Ag:o.  q)  (px)))  ft  forall  (Ami.  px)  :  o 
b  forall  p  ft  forall  (Ami.  p  x)  :  o 

and  thus  both  objects  represent  Vx.P(x)  (or  an  alphabetic  variant,  of  course). 
Similar  examples  exist  for  the  representation  of  derivations  in  Section  3.  This  shows 
that  canonical  forms  play  the  role  of  observable  values  in  a  functional  language,  and 
conversion  to  canonical  form  the  role  of  evaluation.  A  simple  /3-normal  form  would 
not  be  sufficient,  as  the  second  example  illustrates. 

We  summarize  the  concepts  and  techniques  introduced  in  this  section.  We  noted 
the  tension  between  external  and  internal  validity  of  representations.  The  for¬ 
mer  arises  if  we  write  a  general  (logical)  specification  that  allows  us  to  prove 
that  meta-language  objects  represent  well-formed  object-language  expressions.  The 
latter  arises  from  a  typed  meta-language  where  well-typed  meta-language  objects 
correspond  to  well-formed  expressions  of  the  object  language.  Validity  of  internal 
representations  are  decidable  by  design,  while  this  issue  has  to  be  reexamined  in 
each  case  for  external  validity. 

A  central  issue  in  the  representation  of  syntax  is  the  treatment  of  variables. 
An  encoding  where  variables  are  represented  by  constants  in  the  meta-language 
is  awkward  and  requires  a  significant  machinery  to  handle  the  frequently  required 
operations  of  bound  variable  renaming  and  substitution.  The  more  advanced  tech¬ 
nique  of  de  Bruijn  indices  represents  occurrences  of  bound  variables  by  pointers 
to  their  binding  occurrence,  drastically  simplifying  many  operations.  Substitution 
must  still  be  axiomatized  explicitly.  The  technique  of  higher-order  abstract  syn¬ 
tax  represents  object  language  variables  by  meta-language  variables.  It  requires  A- 
abstraction  in  the  meta-language  in  order  to  properly  delineate  the  scope  of  bound 
variables,  which  suggests  the  use  of  the  simply- typed  A- calculus  as  a  representa¬ 
tion  language.  In  this  approach,  variable  renaming  is  modeled  by  a-conversion,  and 
capture-avoiding  substitution  is  modeled  by  /3-reduction,  both  of  which  preserve 
definitional  equality. 

Languages  such  as  the  formulas  of  first-order  logic  are  essentially  open-ended 
in  the  sense  that  we  may  obtain  specific  theories  by  making  a  commitment  to  a 
particular  set  of  function  and  predicate  symbols.  On  the  other  hand  they  are  also 
inductive  in  the  sense  that  in  order  to  prove  a  meta-theoretic  property,  we  may 
need  to  proceed  by  induction  over  the  structure  of  formulas,  which  is  only  possible 
if  we  know  that  we  are  considering  all  possible  cases.  The  compositionality  of  the 
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representation  function  is  a  simple  example  of  such  an  inductive  proof.  This  tension 
is  reflected  in  the  simply-typed  A-calculus  as  a  representation  language.  On  the 
one  hand,  it  is  open-ended  in  the  sense  that  we  can  always  declare  new  constants 
without  invalidating  any  prior  typing  or  equality  judgments.  On  the  other  hand, 
the  canonical  objects  constructed  over  a  fixed  signature  are  inductively  defined, 
since  the  meta-language  has  an  inductive  definition.  Some  frameworks,  such  as 
FSo  [Feferman  1988,  Matthews  et  al.  1993]  or  ALF  [Nordstrom  1993]  make  the 
inductive  nature  of  these  definitions  explicit,  at  the  price  of  giving  up  higher-order 
abstract  syntax.  On  the  other  hand  one  can  then  reason  internally  about  properties 
of  deductive  systems  by  induction.  We  will  come  back  to  inductive  meta-reasoning 
in  Section  5. 


3.  Judgments  and  deductions 

After  designing  the  representation  of  terms  and  formulas,  the  next  step  is  to  encode 
the  axioms  and  inference  rules  of  the  logic  under  consideration.  There  are  several 
styles  of  deductive  systems  which  can  be  found  in  the  literature.  There  is  the  ax¬ 
iomatic  style  (originated  by  Frege  [1879]  and  in  its  modern  form  by  Hilbert  and 
Bernays  [1934])  where  a  logical  system  is  given  by  axioms  and  a  minimal  number  of 
inference  rules.  Gentzen  [1935]  developed  natural  deduction  in  which  the  meaning  of 
each  logical  symbol  is  explained  by  means  of  its  introduction  and  elimination  rules. 
Natural  deductions  were  developed  to  model  mathematical  reasoning  practices  more 
closely  than  axiomatic  derivations  while  still  remaining  completely  formal.  Gentzen 
also  introduced  sequent  calculi  in  which  certain  properties  of  derivations  (such  as 
the  subformula  property)  are  explicit.  Sequent  calculi  form  the  basis  of  many  proof 
search  procedures  today.  Yet  another  style  of  presentation  is  based  on  category 
theory  [Lambek  and  Scott  1986]. 

Logical  frameworks  are  typically  designed  to  deal  particularly  well  with  some 
of  these  systems,  while  being  less  appropriate  for  others.  The  Automath  languages 
were  designed  to  reflect  and  promote  good  informal  mathematical  practice.  It  should 
thus  be  no  surprise  that  they  were  particularly  well-suited  to  systems  of  natural 
deduction.  The  same  is  true  for  hereditary  Harrop  formulas  and  the  LF  type  theory, 
so  we  discuss  the  problem  of  representing  natural  deduction  first.  We  return  to 
axiomatic  systems  in  Section  3.5.  Other  systems,  including  sequent  calculi,  can  also 
be  directly  encoded  [Pfenning  1995,  Pfenning  2000]. 


3.1.  Parametric  and  hypothetical  judgments 

First,  we  introduce  some  terminology  used  in  the  presentation  of  deductive  systems 
introduced  with  their  modern  meaning  by  Martin-Lof  [Martin-Lof  1985a].  We  will 
generally  interpret  the  notions  as  formal  and  syntactic,  rather  than  semantic,  since 
we  would  like  to  tie  them  closely  to  logical  frameworks  and  their  implementations.  A 
judgment  is  defined  by  inference  rules.  An  inference  rule  has  zero  or  more  premises 
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and  a  conclusion;  an  axiom  is  an  inference  rule  with  no  premises.  A  judgment  is 
evident  or  derivable  if  it  can  be  deduced  using  the  given  rules  of  inference.  Most 
inference  rules  are  schematic  in  that  they  contain  meta-variables.  We  obtain  in¬ 
stances  of  a  schematic  rule  by  replacing  meta-variables  with  concrete  expressions 
of  the  appropriate  syntactic  category.  Each  instance  of  an  inference  rule  may  be 
used  in  derivations.  We  write  V  ::  J  or 


V 

J 


when  V  is  a  derivation  of  judgment  J.  All  derivations  we  consider  must  be  finite. 
Natural  deduction  further  employs  hypothetical  judgments.  We  write 

—  u 

Ji 


J2 

to  express  that  judgment  J2  is  derivable  under  hypothesis  J\  labelled  u,  where  the 
vertical  dots  may  be  filled  by  a  hypothetical  derivation.  Hypotheses  have  scope, 
that  is,  they  may  be  discharged  so  that  they  are  not  available  outside  a  given  sub¬ 
derivation.  We  annotate  the  discharging  inference  with  the  label  of  the  hypothesis. 
The  meaning  of  a  hypothetical  judgment  can  be  explained  by  substitution:  We  can 
substitute  an  arbitrary  deduction  S  J\  for  each  occurrence  of  a  hypothesis  Ji 
labelled  u  in  V  ::  J2  and  obtain  a  derivation  of  J2  that  no  longer  depends  on  u.  We 
write  this  substitution  as  [£/u\D  ::  J2.  For  this  to  be  meaningful  we  assume  that 
multiple  occurrences  of  a  label  annotate  the  same  hypothesis,  and  that  hypotheses 
satisfy  the  structural  properties  of  exchange  (the  order  in  which  hypotheses  are 
made  is  irrelevant),  weakening  (a  hypothesis  need  not  be  used)  and  contraction  (a 
hypothesis  may  be  used  more  than  once). 

An  important  related  concept  is  that  of  a  parametric  judgment.  Evidence  for  a 
judgment  J  that  is  parametric  in  a  variable  a  is  given  by  a  derivation  V  ::  J  that 
may  contain  free  occurrences  of  a.  We  refer  to  the  variable  a  as  a  parameter  and 
use  a  and  b  to  range  over  parameters.  We  can  substitute  an  arbitrary  object  O 
of  the  appropriate  syntactic  category  for  a  throughout  V  to  obtain  a  deduction 
[0/a]V  ::  [0/a]J.  Parameters  also  have  scope  and  their  discharge  is  indicated  by  a 
superscript  as  for  hypothesis  labels. 


3.2.  Natural  deduction 

Natural  deduction  is  defined  via  a  single  judgment 

H5'  A  formula  A  is  true 

and  the  mechanisms  of  hypothetical  and  parametric  deductions  explained  in  the 
previous  section. 
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In  natural  deduction  each  logical  symbol  is  characterized  by  its  introduction  rule 
or  rules  which  specify  how  to  infer  a  conjunction,  disjunction,  implication,  univer¬ 
sal  quantification,  etc.  The  elimination  rule  or  rules  for  the  connective  then  specify 
how  we  can  use  a  conjunction,  disjunction,  etc.  Underlying  the  formulation  of  the 
introduction  and  elimination  rules  is  the  principle  of  orthogonality :  each  connective 
should  be  characterized  purely  by  its  rules,  and  the  rules  should  only  use  judg¬ 
mental  notions  and  not  other  logical  connectives.  Furthermore,  the  introduction 
and  elimination  rules  for  a  logical  connective  cannot  be  chosen  freely — as  explained 
below,  they  should  match  up  in  order  to  form  a  coherent  system.  We  call  these 
conditions  local  soundness  and  local  completeness. 

Local  soundness  expresses  that  we  should  not  be  able  to  gain  information  by 
introducing  a  connective  and  immediately  eliminating  it.  That  is,  if  we  introduce 
and  then  eliminate  a  connective  we  should  be  able  to  reach  the  same  judgment 
without  this  detour.  We  show  that  this  is  possible  by  exhibiting  a  local  reduction 
on  derivations.  The  existence  of  a  local  reduction  shows  that  the  elimination  rules 
are  not  too  strong — they  are  locally  sound. 

Local  completeness  expresses  that  we  should  not  lose  information  by  introducing 
a  connective.  That  is,  given  a  judgment  there  is  some  way  to  eliminate  its  principal 
connective  and  then  re-introduce  it  to  arrive  at  the  original  judgment.  We  show 
that  this  is  possible  by  exhibiting  a  local  expansion  on  derivations.  The  existence 
of  a  local  expansion  shows  that  the  elimination  rules  are  not  too  weak — they  are 
locally  complete. 

Under  the  Curry- Howard  isomorphism  between  proofs  and  programs  [Howard 
1980],  local  reduction  correspond  to  /3-reduction  and  local  expansion  corresponds 
to  77-expansion.  We  express  local  reductions  and  expansions  via  judgments  which 
relate  derivations  of  the  same  judgment. 


V 

V 

P  A 

=>R 

A 

V  locally  reduces  to  V' 

V 

V' 

A 

==>E 

\*  A 

V  locally  expands  to  Vr 

In  the  framework  of  partial  inductive  definitions  [Hallnas  1991]  when  used  as  a 
meta-logic  [Hallnas  1987,  Schroeder-Heister  1991,  Eriksson  1992,  Eriksson  19936, 
Eriksson  1993  a,  Eriksson  1994]  the  specification  of  introduction  rules  for  a  con¬ 
nective  automatically  leads  to  the  proper  elimination  rules  by  virtue  of  general 
properties  of  the  framework.  We  do  not  presuppose  such  a  mechanism,  but  explic¬ 
itly  describe  both  introduction  and  elimination  rules.  In  the  spirit  of  orthogonality, 
we  proceed  connective  by  connective,  discussing  introduction  and  elimination  rules 
and  local  reductions  and  expansions. 
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Implication .  To  derive  P  A  D  B  we  assume  PA  to  derive  P  £?.  Written  as  a 
hypothetical  judgment: 

- u 

\ *  A 


f*  B 

— - Dlu 

P  AdB 

The  hypothetical  derivation  describes  a  construction  by  which  we  can  transform  a 
derivation  of  A  into  a  derivation  of  P  B.  This  is  accomplished  by  substituting 
the  derivation  of  P  A  for  every  use  of  the  hypothesis  A  labelled  u  in  the 
derivation  of  P  B.  The  elimination  rule  expresses  just  that:  if  we  have  a  derivation 
of  P  Ad  B  and  also  a  derivation  of  P  A ,  then  we  can  obtain  a  derivation  of  P  B. 

P  AdB  PA 
- de 

P  B 

The  local  reduction  carries  out  the  substitution  of  derivations  explained  above. 
- u 

P  A 
V 

P  B 

- Dlu 

P  AdB 

P  B 

The  derivation  on  the  right  depends  on  all  the  hypotheses  of  £  and  V  except  u , 
for  which  we  have  substituted  £.  The  reduction  described  above  may  significantly 
increase  the  overall  size  of  the  derivation,  since  the  deduction  £  is  substituted  for 
each  occurrence  of  the  assumption  labeled  u  in  V  and  may  therefore  be  replicated. 
Local  expansion  is  specified  in  a  similar  manner. 


PA 


OE 


PA 

V 

P  B 


V 

P  AdB 


V 

P  AdB 


-  u 

P  A 


P  B 

P  AdB 


Dlu 


de 


Here,  u  must  be  a  new  label,  that  is,  it  cannot  already  be  used  in  V. 


Negation.  In  order  to  derive  P  ->A  we  assume  P  A  and  try  to  derive  a  contra¬ 
diction.  This  is  the  usual  formulation,  but  has  the  disadvantage  that  it  requires 
falsehood  (±)  as  a  logical  symbol,  thereby  violating  the  orthogonality  principle. 
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Thus,  in  intuitionistic  logic,  one  ordinarily  thinks  of  ~^A  as  an  abbreviation  for 
A  D  _L.  An  alternative  rule  sometimes  proposed  assumes  A  and  tries  to  derive 
B  and  -» B  for  some  B.  This  also  breaks  the  usual  pattern  by  requiring  the 

logical  symbol  we  are  trying  to  define  (->)  in  a  premise  of  the  introduction  rule. 
However,  there  is  another  possibility  to  explain  the  meaning  of  negation  without 
recourse  to  implication  or  falsehood.  We  specify  that  P  A  should  be  derivable 
if  we  can  conclude  p  for  any  formula  p  from  the  assumption  P  A.  In  other 
words,  the  deduction  of  the  premise  is  hypothetical  in  the  assumption  P  A  and 
parametric  in  the  formula  p . 

- u 

F  A 


H ~P 

- ,F'U 

I*  -A 

According  to  our  intuition,  the  parametric  judgment  should  be  derivable  if  we 
can  substitute  an  arbitrary  concrete  formula  C  for  the  parameter  p  and  obtain 
a  valid  derivation.  Thus,  p  may  not  already  occur  in  the  conclusion  -iA,  or  in 
any  undischarged  hypothesis.  The  reduction  rule  for  negation  follows  from  this 
interpretation  and  is  analogous  to  the  reduction  for  implication. 


S 

— —  t 

A 

[C/p]V 

^  c 


The  local  expansion  is  also  similar  to  that  for  implication. 


V 

f*-A 


- u 

H^A  P  A 


-A 


Universal  quantification.  Under  which  circumstances  should  we  be  able  to  derive 
Vx.  A?  This  clearly  depends  on  the  domain  of  quantification.  For  example,  if  we 
know  that  x  ranges  over  the  natural  numbers,  then  we  can  conclude  Vx.  A  if 
we  can  derive  ^  [0/x]A,  [l/x]A,  etc.  Such  a  rule  is  not  effective,  since  it  has 

infinitely  many  premises.  Thus  one  usually  uses  induction  principles  as  inference 
rules.  However,  in  a  general  treatment  of  predicate  logic  we  would  like  to  prove 
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statements  which  are  true  for  all  domains  of  quantification.  Thus  we  can  only  say 
that  ^  Vx.A  should  be  derivable  if  [a/x]A  is  derivable  for  an  arbitrary  new 
parameter  a.  Conversely,  if  we  know  ^  Vx.  A,  we  know  that  [t/x]A  for  any  term 
t. 


h  [alx)A  E'  Vx.  A 

- VP  - VE 

Vx.  A  \*[t!x\A 


The  superscript  a  is  a  reminder  about  the  proviso  for  the  introduction  rule:  the  pa¬ 
rameter  a  must  be  “new”,  that  is,  it  may  not  occur  in  any  undischarged  hypothesis 
in  the  derivation  of  [a/x\A  or  in  Vx.  A  itself.  In  other  words,  the  derivation  of  the 
premise  is  parametric  in  a.  If  we  know  that  [a/x]A  is  derivable  for  an  arbitrary 
a,  we  can  conclude  that  ^  [t/x]A  should  be  derivable  for  any  term  t.  Thus  we  have 
the  reduction 


V 

[a/x\A 
f*  Vx.  A 


VIa 


h"  [t/x}A 


VE 


[t/a)V 

[t/x]A 


Here,  [t/a] V  is  our  notation  for  the  result  of  substituting  t  for  the  parameter  a 
throughout  the  deduction  V.  For  this  to  be  sensible,  we  must  know  that  a  does  not 
already  occur  in  A,  because  otherwise  the  conclusion  of  [t/a]V  would  be  [t/a][t/x\  A. 
Similarly,  we  would  change  the  assumptions  if  a  occurred  free  in  any  of  the  undis¬ 
charged  hypotheses.  This  might  render  a  larger  derivation  incorrect.  As  an  example, 
consider  the  judgment  Vx.  Vy.p(x)  D  p(y)  which  should  clearly  not  be  derivable 
for  an  arbitrary  predicate  p.  The  following  is  not  a  deduction  of  this  judgment. 


-VIa? 


-VE 


■*  Pjo) 

I*  Vx.  P(x) 

P  P(6) 

I*  P(a)  D  P(b) 
PVy.P(a)DP(y) 


P  Vx.  Vj/.  P(x)  D  P(y) 


DIU 

VI6 


-VP 


The  flaw  is  at  the  inference  marked  with  where  a  is  free  in  the  assumption 
u.  Applying  a  local  proof  reduction  to  the  (incorrect)  VI  inference  followed  by  VE 
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leads  to  the  assumption  [b/a]P(a)  which  is  equal  to  P(b ).  The  resulting  derivation 

- u 

\*  P{b) 

\-N  P(a)DP(b)Dl 

- —VI6 

\*Vy.P(a)DP(y) 

- VP 

H*  \/x.Vy.P(x)DP{y) 

is  once  again  incorrect  since  the  hypothesis  labelled  u  should  be  P(a),  not  P(b). 
The  local  expansion  just  introduces  and  immediately  discharges  the  parameter. 

V 

v  H*  Vx.  A 

=>.F  - VE 

i^Vx.A  E  \*[a/x\A 

- VF 

f*  Vx.A 


Classical  logic.  The  inference  rules  so  far  only  model  intuitionistic  logic,  and  some 
classically  true  formulas  such  as  Peirce’s  law  ((A  D  B)  D  A)  D  A  (for  arbitrary  A 
and  B )  or  double  negation  (-i--'A)d  A  (for  arbitrary  A)  are  not  derivable.  There  are 
a  number  of  equivalent  ways  to  extend  the  system  to  full  classical  logic,  typically 
using  negation  (for  example,  the  law  of  excluded  middle,  proof  by  contradiction,  or 
double  negation  elimination).  In  the  fragment  without  disjunction  or  falsehood,  we 
might  choose  either  a  rule  of  double  negation  or  proof  by  contradiction. 


- dbneg  - contr 

i *A 

The  rule  for  classical  logic  (whichever  we  choose  to  adopt)  breaks  the  pattern  of 
introduction  and  elimination  rules.  One  can  still  formulate  some  reductions  for 
classical  derivations,  but  natural  deduction  is  at  heart  an  intuitionistic  calculus. 
The  symmetries  of  classical  logic  are  better  exhibited  in  sequent  calculi. 

Here  is  a  simple  example  of  a  natural  deduction  showing  that  P  A  D  -i-i A  is 
derivable  in  intuitionistic  logic.  We  attempt  to  show  the  process  by  which  such  a 
deduction  may  have  been  generated,  as  well  as  the  final  deduction.  The  three  vertical 
dots  indicate  a  gap  in  the  derivation  we  are  trying  to  construct,  with  hypotheses 
shown  above  and  the  desired  conclusion  below  the  gap.  A  trace  of  this  process  when 
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the  search  is  carried  out  in  a  logical  framework  is  given  in  Section  4.4. 

- u 

f*  A 

\* 

- Dlu 

h*  A  D  -1-1 A 


PA  P ->A 


■  w 


■  w 


P  -iA  P  A 


~+  P  p 


P  — i— ij4 

-i-iA 


hF'1 


^  -.--/I 


or 


^  A  o  -i-i/l 


nF’U’ 

OP 


The  symbol  A  in  this  deduction  stand  for  an  arbitrary  formula;  we  can  thus  view 
the  derivation  above  as  parametric  in  A.  In  other  words,  every  instance  of  this 
derivation  (replacing  A  by  an  arbitrary  formula)  is  a  valid  derivation. 

Below  is  a  summary  of  the  rules  of  intuitionistic  natural  deduction.  The  use  of 
hypotheses  is  implicit  in  this  formulation,  using  our  understanding  of  hypothetical 
judgments. 


Introduction  Rules 


Elimination  Rules 


- u 

PA 

P  B 

- - Dlu 

P  AdB 

- u 

I*  A 


Pp 


P  -i/l 

P  [a/x}A 

- VP 

PVx.A 


P_ApB_ 

P  B 


P  A 


DE 


I*  ->A 

P  C 


P  A 


-.E 


P  Vi.il 
P  [t/x\A 


VE 
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3.3.  Representing  derivability 

There  are  several  approaches  to  the  representation  of  natural  deductions  in  logi¬ 
cal  frameworks.  We  can  introduce  a  predicate  nd  such  that  nd(rAn)  holds  in  the 
meta-logic  if  and  only  if  )r  A  has  a  derivation.  This  does  not  require  an  explicit 
representation  of  natural  deductions  as  objects  in  the  meta-language.  Another  pos¬ 
sibility  is  to  introduce  an  explicit  representation  for  natural  deductions  and  encode 
the  property  “V  is  a  deduction  of  A ” . 

We  first  consider  the  encoding  of  derivability  via  axioms  in  a  meta-logic.  In  order 
to  take  advantage  of  higher-order  abstract  syntax  in  the  representation,  we  need  to 
go  beyond  Horn  clauses  as  introduced  in  Section  2.1.  An  appropriate  language  is  the 
language  of  hereditary  Harrop  formulas  [Miller  et  al.  1991]  which  form  the  basis 
both  of  the  logic  programming  language  AProlog  [A Prolog  1997]  and  the  generic 
theorem  prover  Isabelle  [Isabelle  1998].  Variations  of  this  approach  to  encoding 
derivability  have  been  devised  by  Paulson  [1986]  and  Felty  and  Miller  [1988,  1989]. 
Quantifiers  in  the  meta- logic  have  type  labels  and  range  over  simply- typed  A- terms. 
Since  it  is  unnecessary  for  our  purposes,  we  exclude  quantification  over  formulas 
in  the  meta-logic  and  omit  some  logical  connectives  that  are  easily  definable.  The 
meta-variable  A  ranges  here  over  simple  types  as  in  Section  6  and  should  not  be 
confused  with  the  formulas  of  first-order  logic  in  the  preceding  section. 

Hereditary  Harrop  formulas  H  ::=  P  \  T  |  Hi  A  H2  \  Hi  D  H2  |  Vx:A.  H 

There  are  two  important  differences  to  Horn  logic:  the  addition  of  types  so  that 
quantifiers  now  range  over  simply-typed  A-terms,  and  the  generalization  which  al¬ 
lows  the  body  of  clauses  to  contain  implications  and  universal  quantifications  (so- 
called  embedded  implication  and  embedded  universal  quantification).  On  this  frag¬ 
ment  classical  and  intuitionistic  logic  diverge,  so  it  is  crucial  that  the  meta-logic  is 
intuitionistic.  A  theory  T  is  a  collection  of  closed  hereditary  Harrop  formulas. 

T  ^  H  theory  T  intuitionistically  entails  proposition  H 

The  extension  to  allow  embedded  implications  also  means  that  theories  consisting 
of  hereditary  Harrop  formulas  no  longer  constitute  inductive  definitions  the  way 
Horn  clauses  do. 

Derivability  by  natural  deductions  is  represented  by  a  predicate  nd  on  represen¬ 
tations  of  formulas,  that  is,  meta-level  terms  of  type  o.  The  inference  rules  are  then 
translated  into  meta-level  axioms  concerning  the  predicate  nd.  For  example,  the 
rule  dE  is  implemented  by 

Who.  Vi?:o.  (nd  (imp  A  B)  A  nd  A)  D  nd  B 

In  order  to  represent  hypothetical  judgments  we  take  advantage  of  embedded  impli¬ 
cation.  This  is  correct  only  because  the  meta-logic  is  intuitionistic  and  a  complete 
strategy  for  proving  a  formula  H\  D  H2  is  to  prove  H2  under  assumption  H\.  Using 
this  fact,  one  can  prove  that  the  following  axiom  is  an  adequate  representation  of 
the  Dl  rule. 
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W4: o.  VD: o.  (nd  A  3  nd  B)  3  nd  (imp  A  B) 

For  parametric  judgments  we  can  use  a  similar  encoding  with  embedded  universal 
quantification.  We  state  the  remaining  rules  here  for  completeness;  the  same  idea 
is  employed  in  the  type-theoretic  treatment  in  Section  3.4  and  explained  there  in 
detail. 

Who.  (Vp:o.  nd(A)  3  nd(p))  3  nd(--A) 

Who.  nd(-iA)  3  VC:o.  (nd {A)  3  nd(C)) 

Wbi  ->  o.  (Vx:i.  nd  (Ax))  3  nd  (forall  (Ax:i.  Ax)) 

W4:i  o.  nd  (forall  (Ax:i.  Ax))  3  (Vx:i.  nd  (Ax)) 

We  summarize  the  representation  principle  in  the  phrase  judgments- as-propositions: 
judgments  of  the  object  language  (e.g.,  ^  A)  are  represented  by  a  proposition  in  the 
meta- logic  (e.g.,  nd(rA~1)).  The  adequacy  theorem  of  this  representation  is  rather 
direct.  We  refer  to  the  theory  consisting  of  the  type  declarations  and  the  six  axioms 
above  as  ND. 

3.1.  Theorem  (Adequacy). 

ND\#H  nd(WT)  iff  ^  A 

In  order  to  prove  this  theorem,  we  need  to  generalize  it  to  account  for  hypothetical 
judgments.  One  possible  form  employs  meta-level  implication. 

- U\  - un 

V  Ai  •  •  •  h"  An 

ND^"  nd{rA^)D---Dud{rAnn)Dn6{rAn)  iff  : 

A 

Another  form,  given  for  the  related  type-theoretic  interpretation  in  the  next  section, 
directly  uses  hypothetical  reasoning  in  the  meta-language. 


3.4 .  Deductions  as  objects 

If  we  have  a  general  reasoning  tool  for  hereditary  Harrop  formulas  we  can  now 
reason  in  intuitionistic  logic  by  using  the  axioms  in  the  theory  AD,  and  in  classi¬ 
cal  logic  if  we  assume  an  additional  axiom  modelling  double  negation  elimination. 
Isabelle  [Isabelle  1998,  Nipkow  and  Paulson  1992]  is  such  a  general  tool.  Proof 
search  can  be  programmed  externally  by  using  a  language  of  tactics  and  tacti- 
cals  to  construct  derivations  using  these  axioms  and  derived  rules  of  inference. 
The  meta-programming  language  in  this  case  is  ML,  whose  type  system  together 
with  a  correct  implementation  of  hereditary  Harrop  formulas  guarantees  that  only 
well- formed  meta-derivations  can  be  constructed.  More  on  this  style  of  reasoning 
with  the  aid  of  a  logical  framework  implementation  can  be  found  in  Section  4.  As 
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mentioned  above,  this  is  an  implementation  of  derivability  and  explicit  deductions 
need  never  be  constructed.  If  they  are  maintained,  they  are  only  an  internal  data 
structure. 

There  are  many  circumstances  where  we  are  interested  in  deductions  as  explicit 
objects.  For  example,  we  may  want  to  extract  functional  programs  from  construc¬ 
tive  (or  even  classical)  derivations.  Or  we  may  want  to  implement  proof  trans¬ 
formation  and  presentation  tools  in  a  theorem  proving  environment.  If  we  do  not 
trust  a  complex  theorem  prover,  we  may  construct  it  so  that  it  generates  proof 
objects  which  can  be  independently  verified.  In  the  architecture  of  proof-carrying 
code  [Necula  1997],  deductions  represented  in  LF  are  attached  to  mobile  code  to 
certify  safety  (see  Section  8.2).  Another  class  of  applications  is  the  implementation 
of  the  meta-theory  of  the  deductive  systems  under  consideration.  For  example,  we 
may  want  to  show  that  natural  deductions  and  axiomatic  derivations  define  the 
same  theorems  and  exhibit  translations  between  them  (see  Sections  5.2  and  5.4). 

The  simply-typed  A-calculus,  which  we  used  to  represent  the  terms  and  formulas 
of  first-order  logic,  is  also  a  good  starting  point  for  the  representation  of  natural 
deductions.  As  we  will  see  below  we  need  to  refine  it  further  in  order  to  allow  an 
internal  validity  condition  for  deductions.  This  leads  us  to  An,  the  dependently 
typed  A-calculus  underlying  the  LF  logical  framework  [Harper  et  al.  1993]. 

We  begin  by  introducing  a  new  type  nd  of  natural  deductions  instead  of  the 
predicate  introduced  in  the  previous  section.  An  inference  rule  is  a  constant  function 
from  deductions  of  the  premises  to  a  deduction  of  the  conclusion.  For  example, 

impe  :  nd  — >  nd  -»  nd 

might  be  used  to  represent  implication  elimination.  A  hypothetical  deduction  is 
represented  as  a  function  from  a  derivation  of  the  hypothesis  to  a  derivation  of  the 
conclusion. 

impi  :  (nd  ->  nd)  ->  nd 

One  can  clearly  see  that  this  representation  requires  an  external  validity  condition 
since  it  does  not  carry  the  information  about  the  conclusion  of  a  derivation.  For 
example,  we  have 

b  impi  (Au:nd.  impeuu)  nd 

but  this  term  does  not  represent  a  valid  natural  deduction.  An  external  validity 
predicate  can  be  specified  using  hereditary  Harrop  formulas  and  is  executable  in 
AProlog  [Felty  and  Miller  1988,  Felty  1989].  However,  it  is  dynamic  (rather  than 
static)  and  not  prima  facie  decidable.  Furthermore,  during  search  external  mecha¬ 
nisms  must  be  put  into  place  in  order  to  prevent  invalid  deductions.  This  is  related 
to  the  problem  of  invalid  tactics  in  ML/LCF  [Gordon,  Milner  and  Wadsworth  1979]. 
Through  data  abstraction,  tactics  are  guaranteed  to  generate  only  valid  deductions, 
but  the  type  system  cannot  enforce  that  they  have  the  expected  conclusion. 

Fortunately,  it  is  possible  to  refine  the  simply-typed  A-calculus  so  that  validity  of 
the  representation  of  derivations  becomes  an  internal  property,  without  destroying 
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the  decidability  of  the  type  system.  This  is  achieved  by  introducing  indexed  types. 
Consider  the  following  encoding  of  the  elimination  rule  for  implication. 

impe  nd  (\mpAB)  — ►  nd  A  nd  B 

In  this  specification,  nd(impj4£?)  is  a  type,  the  type  representing  derivations  of 
Ad  B.  Thus  we  speak  of  the  judgments- as-types  principle.  The  type  family  nd  is 
indexed  by  objects  of  type  o. 

nd  :  o  — >  type 

We  call  o  type  a  kind.  Secondly,  we  have  to  consider  the  status  of  the  free 
variables  A  and  B  in  the  declaration.  Intuitively,  impe  represents  a  whole  family  of 
constants,  one  for  each  choice  of  A  and  B.  Schematic  declarations  like  the  one  given 
above  are  desirable  in  practice,  but  they  lead  to  an  undecidable  type  checking  prob¬ 
lem  [Dowek  1993].  We  can  recover  decidability  by  viewing  A  and  B  as  additional 
arguments  in  the  representation  of  I)E.  Thus  impe  has  four  arguments  representing 

A,  B ,  a  derivation  of  A  D  B  and  a  derivation  of  A.  It  returns  a  derivation  of  B. 
With  the  usual  function  type  constructor  we  could  only  write 

impe  o  — ¥  o  — »  nd  (imp  A  B)  —»  nd  A  —¥  nd  B. 

This  does  not  express  the  dependencies  between  the  first  two  arguments  and  the 
types  of  the  remaining  arguments.  Thus  we  name  the  first  two  arguments  A  and 

B,  respectively,  and  write 

impe  :  11^4:0.  UB:o.  nd  (imp  AB)  — >•  nd  A  ->  nd  B. 

This  is  a  closed  type,  since  the  dependent  function  type  constructor  n  binds  the 
following  variable.  Prom  the  consideration  above  we  can  see  that  the  typing  rule 
for  application  of  a  function  with  dependent  type  should  be 

FhsM:  Ux:A.  B  T  hE  N  :  A 
- app 

r  M  N  :  [N/x]B 

For  example,  given  a  variable  p: o  we  have 

p: o  impe  (notp)p  :  nd  (imp  (notp)p)  — >  nd  (notp)  — >  ndp 

where  the  signature  £  contains  the  declarations  for  formulas  and  inferences  rules 
developed  above.  The  counterexample  impi  (Au:nd  A.  impe  u  u)  from  above  is  now 
no  longer  well- typed:  the  instance  of  A  would  have  to  be  of  the  form  A\  D  A^  (first 
occurrence  of  u)  and  simultaneously  be  equal  to  A\  (second  occurrence  of  u ).  This 
is  clearly  impossible.  The  rule  for  A-abstraction  does  not  change  much  from  the 
simply-typed  calculus. 

ThA:  type  T,  x:A  h ^  M  :  B 

- lam 


T  hfc  A x:A.  M  :  Ux:A.  B 
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The  variable  x  may  now  appear  free  in  B,  whereas  without  dependencies  it  could 
only  occur  free  in  M .  From  these  two  rules  it  can  be  seen  that  the  rules  for  Iix:A.  B 
specialize  to  the  rules  for  A  -4  B  if  x  does  not  occur  in  B.  Thus  A  — >  B  is  generally 
considered  a  derived  notation  that  stands  for  Ux:A.  B  for  a  variable  x  not  free  in 
B . 

Dependent  types  further  create  the  need  for  a  rule  of  type  conversion.  This  is 
required,  for  example,  in  the  representation  of  VI  below.  We  take  a  brief  excursion 
into  the  realm  of  functional  programming  to  illustrate  the  nature  of  dependent 
types  and  the  need  for  type  conversion.  Consider  a  type  family  vector  indexed  by  a 
natural  number  representing  its  length.  Then  concatenation  of  vectors  would  have 
type 

concat  :  IIn:nat.  Ilmrnat.  vector  n  -4  vector  m  — >  vector  (n  -I-  m). 

Using  the  inference  rules  for  application  we  find 

concat  2  3  [1,  2]  [1, 3, 5]  :  vector(2  4  3),  and 
concat  3  2  [1,  2, 1]  [3, 5]  :  vector(3  4-  2). 

Since  both  expressions  compute  to  the  same  value,  namely 

[1,2, 1,3,5]  :  vector(5), 

we  would  expect  that  in  a  sensible  type  system  all  three  expressions  would  have 
the  same  type.  Evidently  they  do  not,  unless  we  identify  the  types  vector(2  4  3), 
vector (3  4  2),  and  vector (5).  All  of  them  represent  the  type  of  vectors  of  length 
5,  so  identifying  them  makes  sense  intuitively.  In  general,  we  add  a  rule  of  type 
conversion  that  allows  us  to  apply  definitional  equalities  in  a  type. 

rhsM:A  r  A  s=  B  :  type 

- conv 

T  M  :  B 

The  example  above  also  shows  that  adding  dependent  types  to  a  functional  lan¬ 
guage  can  quickly  lead  to  an  undecidable  type  checking  problem,  since  we  need  to 
compare  expressions  in  the  program  language  for  equality  (which  is  undecidable 
in  general).  The  LF  type  theory  contains  no  recursion  at  the  level  of  objects  and 
type- checking  remains  decidable  since  definitional  equality  remains  decidable.  This 
is  an  important  illustration  of  the  design  principle  that  the  framework  should  be 
as  weak  as  possible.  Adding  recursion,  while  it  may  occasionally  seem  desirable, 
can  easily  destroy  decidability  of  definitional  equality  and  therefore  typing.  In  an 
undecidable  type  system,  validity  of  the  representations  for  deductions  then  would 
no  longer  be  a  static,  internal  property. 

A  full  complement  of  rules  for  the  An  type  theory  is  given  in  Section  7.  A  version 
with  a  weaker  notion  of  definitional  equality  is  given  in  Chapter  XXII. 

With  dependent  function  types,  we  can  now  give  a  representation  for  natural 
deductions  with  an  internal  validity  condition.  This  is  summarized  in  Theorem  3.2 
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below.  We  first  introduce  a  type  family  nd  that  is  indexed  by  a  formula.  The  LF 
type  nd  r>P  is  intended  to  represent  the  type  of  natural  deductions  of  the  formula 
A. 


nd  :  o  — »  type 

Each  inference  rule  is  represented  by  an  LF  constant  which  can  be  thought  of 
as  a  function  from  a  derivation  of  the  premises  of  the  rule  to  a  derivation  of  the 
conclusion.  The  constant  further  depends  on  the  schematic  variables  that  occur  in 
the  specification  of  the  inference  rule. 


Implication .  The  introduction  rule  for  implication  employs  a  hypothetical  judg¬ 
ment.  The  derivation  of  the  hypothetical  judgment  in  the  premise  is  represented  as 
a  function  which,  when  applied  to  a  derivation  of  A ,  yields  a  derivation  of  B. 

r  n 

- u 

P  A 
V 

P  B 

- DI«  =  impi  rAn  rBn  (Au:nd  rA\  rX>n) 

P  Ad  B 

The  assumption  A  labelled  by  u  which  may  be  used  in  the  derivation  V  is  repre¬ 
sented  by  the  LF  variable  u  which  ranges  over  derivations  of  A. 

r  ~i 

- U  —  U 

P  >1 

From  this  we  can  deduce  the  type  of  the  impi  constant  . 

impi  :  UA:o.  UB:o.  (nd  A  — >  nd  B)  ->  nd  (imp  A  B) 

The  elimination  rule  is  simpler,  since  it  does  not  involve  a  hypothetical  judgment. 
The  representation  of  a  derivation  ending  in  the  elimination  rule  is  defined  by 

r  *i 

v  e 

padb  Pa 

- DE  =  impe  rAn  rBn  r2T  ^ 

B 


where 


impe  :  IL4:o.  UB:o.  nd  (imp  A  B)  nd  A  nd  B. 
As  an  example  we  consider  a  derivation  of  A  D  (B  D  A). 


- u 

PA 

P  BdA 


or 

Dlu 


P  Ad  (Bd  A) 
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Note  that  the  assumption  B  labelled  w  is  not  used  and  therefore  does  not  appear 
in  the  derivation.  This  derivation  is  represented  by  the  LF  object 

impi  rAn  (imp  rB n  ryT)  (Aurnd  rA\  impi  rB n  rA n  (\w:nd  rBn.u)) 

which  has  type 

nd  (imp  rAn  (imp  rB^  rA“1)). 

This  example  shows  clearly  some  redundancies  in  the  representation  of  the  de¬ 
duction  (there  are  many  occurrence  of  rAn  and  rBn).  Fortunately,  it  is  possible  to 
analyze  the  types  of  constructors  and  eliminate  much  of  this  redundancy  through 
term  reconstruction  [Pfenning  1991a,  Necula  and  Lee  19986].  Section  8.2  has  some 
additional  brief  remarks  on  this  issue. 

Negation .  The  introduction  and  elimination  rules  for  negation  and  their  represen¬ 
tation  follow  the  pattern  of  the  rules  for  implication. 

r  ~i 

- u 

P  A 
V 

Pp 

- —  noti  rAn  (Xp:o.  Aa:nd  rAn.  rVn) 

^A 

The  judgment  of  the  premise  is  parametric  in  p  and  hypothetical  in  u.  It  is  thus 
represented  as  a  function  of  two  arguments,  accepting  both  a  formula  p  and  a 
deduction  of  A. 

noti  :  IL4:o.  (IIp:o.  nd  A  -»  nd  p)  nd  (not  A) 

The  representation  of  negation  elimination 
r  1 

V  s 

P-i-A  f*  A 

- «E  =  note  rAn  rDn  rCn  r£~] 

\*C 

leads  to  the  following  declaration 

note  :  IL4:o.  nd  (not  A)  IIC:o.  nd  A  nd  C 

This  type  just  inverts  the  second  argument  and  result  of  the  noti  constant,  which 
is  the  reason  for  the  chosen  argument  order.  Clearly, 

note'  :  IL4:o.  11(7:0.  nd  (not  A)  -»  nd  A  nd  C 


is  an  equivalent  declaration. 
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Universal  quantification.  Recall  that  r\/x.An  =  forall  (Ax:i.  rAn)  and  that  the 
premise  of  the  introduction  rule  is  parametric  in  a. 

r  -I 

V 

\a/x]A 

— - - VIa  =  forall i  (Ax:i.  rAn)  (Aa:i.  rV n) 

r  Vx.  A 

Note  that  r  A-1,  the  representation  of  A ,  has  a  free  variable  x  which  must  be  bound 
in  the  met  a- language,  so  that  the  representing  object  does  not  have  a  free  variable 
x.  Similarly,  the  parameter  a  is  bound  at  this  inference  and  must  be  correspondingly 
bound  in  the  meta-language.  The  representation  determines  the  type  of  the  constant 
foralli. 


foralli  :  IL4:i  — >  o.  (ITa:i.  nd  (A  a))  — >  nd  (forall  A) 

In  an  application  of  this  constant,  the  argument  labelled  A  will  be  Ax:i.rA‘1  and 
(A  a)  will  be  (Ax:i.  r>P)  a  which  is  equivalent  to  [a/x]r A"'  which  in  turn  is  equiva¬ 
lent  to  r[a/x]A~i  by  the  compositionality  of  the  representation. 

The  elimination  rule  does  not  employ  a  hypothetical  judgment. 

r  -i 

V 

^  Vx.A 

- VE  =  foralle  (Ax:i.  rA~])  r£>n  T 

^  [t/x\A 

The  substitution  of  t  for  x  in  A  is  representation  by  the  application  of  the  function 
(Ax:i.rAn)  (the  first  argument  to  foralle)  to  rtn. 


foralle  :  IL4:i  o.  nd  (forall  A)  ->  IIt:i.  nd  (A  t) 

We  now  check  that 

r  -i 

V 

^  Vx.A 

- VE  :  nd  r[t/x]A"\ 

P[t/x)A 

assuming  that  rT>n  :  nd  rVx.  AT  This  is  a  part  in  the  proof  of  adequacy  of  this 
representation  of  natural  deductions.  At  each  step  we  verify  that  the  arguments 
have  the  expected  type  and  compute  the  type  of  the  application. 


foralle 
foralle  (Ax:i.rAn) 
foralle  (Ax:i.rAn)  rVn 
foralle  (Ax:i.rAn)  rVn  T 
foralle  (A x:i.rAn)  rDn  T 


IL4:i  o.  nd  (forall  A)  Ut:\.  nd  (A  t) 
nd  (forall  (Ax:i.  rA ^))  ->  nt:i.  nd  ((Ax:i.  rA~])  t) 
ntii.nd  ((Ax:i .rAn)  t) 
nd  ((Ax:i.  rA_l)  T) 
nd  {\r t1  / x)r A~^) 
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The  last  step  follows  by  type  conversion,  noting  that 

{Xx:\ .rAn)  rr=  [rr/x]rAn. 

Furthermore,  by  the  compositionality  of  the  representation  we  have 

[rtn/x]rA-'=r[t/x)A~' 


which  yields  the  desired 

foralle  {Xx:\.  rA~})  rVn  rf  :  nd  {r[t/x\ A“>). 

The  representation  theorem  relates  canonical  objects  constructed  in  certain  con¬ 
texts  to  natural  deductions.  The  restriction  to  canonical  objects  is  once  again  cru¬ 
cial,  as  are  the  restrictions  on  the  form  of  the  context.  We  call  the  signature  con¬ 
sisting  of  the  declarations  for  first-order  terms,  formulas,  and  natural  deductions 
ND. 

3.2.  Theorem  (Adequacy). 

1.  If  V  is  a  derivation  of  A  from  hypotheses  H*  An  labelled  ...  ,un, 

respectively,  with  all  free  individual  parameters  among  a\, . . . ,  am  and  proposi¬ 
tional  parameters  among  p\ , . . . ,  pk  then 

«i=i,  — » am:i,pi:o, . . .  ,pk:o,  wL:nd  rAin, . . . ,  un: nd  T Ann  hND  rV~]  ft  nd  rAn 

2.  If 

a\: i, . . . ,  am:i,pi:o, . .  .,pk: o,  tzi:nd  rAin, . . . , un: nd  rAnn  \-ND  M  ft  nd rAn 

then  M  —  rT>n  for  a  derivation  V  as  in  part  1. 

3.  The  representation  function  is  a  bijection,  and  is  compositional  in  the  sense 
that  the  following  equalities  hold. 

r[t/a]'D~]  =  [rr/a]rT>"i 
r[C/p\  2T  -  [rCn/p]r2T' 
r[s/u]vn  =  [re^/u\rv^ 

PROOF.  The  proof  proceeds  by  induction  on  the  structure  of  natural  deductions 
one  direction  and  on  the  definition  of  canonical  forms  in  the  other  direction.  □ 

Each  of  the  rules  that  may  be  added  to  obtain  classical  logic  can  be  easily  repre¬ 
sented  with  the  techniques  from  above.  They  are  left  as  an  exercise  to  the  reader. 

We  summarize  the  LF  encoding  of  natural  deductions.  We  make  a  few  cosmetic 
changes  which  reflect  common  practice  in  the  use  of  logical  frameworks.  The  first 
is  the  use  of  infix  and  prefix  notation  for  logical  connectives.  According  to  our  con¬ 
ventions,  implication  is  right  associative,  and  negation  is  a  prefix  operator  binding 
more  tightly  than  implication. 
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i  :  type, 
o  :  type . 

imp  :  o  -»  o  ->  o. 

not  :  o  — >  o. 

forall  :  (i  o)  — »  o. 

The  second  simplification  in  the  concrete  presentation  is  to  omit  some  II- 
quantifiers.  Free  variables  in  a  declaration  are  then  interpreted  as  a  schematic  vari¬ 
ables  whose  quantifiers  remain  implicit.  The  types  of  such  free  variables  must  be 
determined  from  the  context  in  which  they  appear.  In  practical  implementations 
such  as  Twelf  [Pfenning  and  Schiirmann  19986,  Pfenning  and  Schiirmann  1998c], 
type  reconstruction  will  issue  an  error  message  if  the  type  of  free  variables  is  am¬ 
biguous. 

nd  :  o  — >  type. 

impi  :  (nd  A  ->  nd  B)  nd  ( A  imp  B) . 
impe  :  nd  ( A  imp  B)  ->  nd  A  nd  B. 
noti  :  (lip: o .  nd  A  ->>  nd  p)  nd  (not  A). 
note  :  nd  (not  A)  — >  (IK7:o.  nd  A  — >  nd  O. 

foralli  :  (IIa:i.  nd  (A  a))  — >  nd  (forall  ,4) . 

foralie  :  nd  (forall  A )  -)>  (II 7":  i .  nd  ( A  T)). 

When  constants  with  implicitly  quantified  types  are  used,  arguments  correspond¬ 
ing  to  the  omitted  quantifiers  are  also  left  implicit.  Again,  in  practical  implemen¬ 
tations  these  arguments  are  inferred  from  context.  For  example,  the  constant  impi 
now  appears  to  take  only  two  arguments  (of  type  nd  A  and  nd  B  for  some  A  and 
B)  rather  than  four,  like  the  fully  explicit  declaration 

impi  :  IIA:o.  ILB:o.  (nd  A  — >  nd  B)  -»  nd  (A  imp  B). 

The  derivation  of  Ad  (B  D  A)  from  above  has  this  very  concise  representation: 
impi  (Xu:  nd  A.  impi  (Xv:nd  B.  u ))  :  nd  (A  imp  (B  imp  A)). 

In  summary,  the  basic  representation  principle  underlying  LF  is  the  represen¬ 
tation  of  judgments  as  types.  A  deduction  of  a  judgment  J  is  represented  as  a 
canonical  object  M  whose  type  is  the  representation  of  J.  This  basic  scheme  is 
extended  to  represent  hypothetical  judgments  as  simple  function  types  and  para¬ 
metric  judgments  as  dependent  function  types.  This  encoding  reduces  the  question 
of  validity  for  a  derivation  to  the  question  of  well-typedness  for  its  representation. 
Since  type-checking  in  the  LF  type  theory  is  decidable,  the  validity  of  derivations 
has  been  internalized  as  a  decidable  property  in  the  logical  framework. 


3.5.  An  axiomatic  formulation 

A  second  important  style  of  deductive  system  is  axiomatic:  rather  than  explaining 
the  meaning  of  quantifiers  and  connectives  by  inference  rules,  we  use  mostly  axiom 
schemas  and  as  few  inference  rules  as  possible.  The  following  is  the  system  Hi-IQC 
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[Troelstra  and  van  Dalen  1988].  It  consists  of  the  following  axiom  schemas,  and  the 
two  rules  of  inference  below. 

A  A  D  (B  D  A)  (K) 

I a(Ad(Bd  O)  D  (( A  DB)D(AD  C))  ( S ) 

A  (Ad  -B)  d  ((A  dB)d  ->A)  (Ni) 

I4  -'A  D  (Ad  B)  .  (N2) 

H3  (Vx.  A)  D  [t/x]  A  (F\) 

A  (Vx.  (B  D  A))  D  (B  D  Vx.  A)  (F2)* 

with  the  proviso  that  x  must  not  be  free  in  B  in  the  rule  (F2).  The  two  rules  of 
inference  are  modus  ponens  MP  and  universal  generalization  UG. 

'A  Ad  B  A  A  P  [a/a:]v4 

- MP  - UGa 

^  B  H5  Vx.  A 

The  universal  generalization  rule  carries  the  proviso  that  a  must  be  a  new  param¬ 
eter,  that  is,  may  not  already  occur  in  A.  The  representation  of  the  propositional 
axioms  and  modus  ponens  is  straightforward,  following  the  ideas  in  the  representa¬ 
tion  of  natural  deduction.  We  introduce  a  type  family  hil  for  axiomatic  deductions, 
indexed  by  the  conclusion  of  the  derivation.  In  order  to  improve  readability,  we  use 
infix  notation  for  implication.  Also,  we  have  chosen  constant  names  in  lower  case 
so  that  the  presentation  of  the  translations  in  Section  5.2  will  be  easier  to  read, 
hil  :  o  — >  type, 
k  :  hil  (A  imp  B  imp  A) . 

s  :  hil  ( (^4  imp  B  imp  O  imp  (A  imp  B)  imp  A  imp  O. 
ni  :  hil  ((A  imp  not  B)  imp  (A  imp  B)  imp  not  A). 
n2  :  hil  (not  A  imp  A  imp  B) . 

For  rule  ( F\ )  we  need  to  implement  substitution,  which  is  done  as  usual  in  higher- 
order  abstract  syntax  by  application,  here  of  A  to  T. 

fi  :  nT:i.  hil  (forall  (Az:i.  A  x)  imp  A  D . 

For  the  rule  (F2)  we  must  capture  the  side-condition  that  x  is  not  free  in  the 
antecedent  of  the  implication.  The  following  achieves  this  directly. 

f2  :  hil  (forall  (Ax:i.  B  imp  A  x )  imp  B  imp  forall  (Ax:i.  A  x)). 

Since  substitution  in  the  meta-language  will  rename  bound  variables  to  avoid  vari¬ 
able  capture,  we  cannot  instantiate  B  in  this  declaration  with  an  object  that  con¬ 
tains  a  free  occurrence  of  x  ( x  would  be  renamed) .  Thus,  using  higher-order  abstract 
syntax,  one  can  concisely  represent  simple  variable  occurrence  conditions.  The  rules 
of  inference  are  isomorphic  to  ones  we  have  seen  for  natural  deduction, 
mp  :  hil  (A  imp  B )  — >  hil  A  — >  hil  B. 
ug  :  (Eta: i .  hil  (A  a))  ->  hil  (forall  (Ax:i.  Ax)). 

The  adequacy  theorem  for  axiomatic  derivations  is  straightforward  and  left  to 
the  reader. 
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3.6.  Higher-level  judgments 

Next  we  turn  to  the  local  reduction  judgment  for  natural  deductions  introduced  in 
Section  3.2. 

V  V ' 

F  A  ^ R  I*  A 

Recall  that  this  judgment  witnesses  the  local  soundness  of  the  elimination  rules 
with  respect  to  the  introduction  rules.  We  refer  to  this  as  a  higher-level  judgment 
since  it  relates  derivations.  The  representation  techniques  underlying  LF  support 
this  directly,  since  deductions  are  represented  as  objects  which  can  in  turn  index 
type  families  representing  higher-level  judgments. 

In  this  particular  example,  reduction  is  defined  only  by  axioms,  one  each  for  im¬ 
plication,  negation,  and  universal  quantification.  The  representing  type  family  in 
LF  must  be  indexed  by  the  representation  of  two  deductions  V  and  Z>',  and  conse¬ 
quently  also  by  the  representation  of  A.  This  shows  that  there  may  be  dependencies 
between  indices  to  a  type  family  so  that  we  need  a  dependent  constructor  II  for 
kinds  in  order  to  represent  judgments  relating  derivations. 

=>jr  :  UA:o.  nd  A  -4  nd  A  — »  type. 

As  in  the  representation  of  inference  rules  in  Sections  3.4  and  3.5,  we  omit  the 
explicit  quantifier  on  A  and  determine  A  from  context. 

=>R  :  nd  A  ->  nd  A  -4  type. 

We  show  the  representation  of  the  reduction  rules  for  each  connective  in  turn, 
writing  =>R  as  an  infix  constant. 


Implication.  This  reduction  involves  a  substitution  of  a  derivation  for  an 
tion. 


b'  A 
V 
B 


AdB 


Dlu 


I*  B 


£ 

A 

- de 


£ 

b"  A 
V 

P  B 


u 


assump- 


The  representation  of  the  left-hand  side  is 
impe  (impi  (Au:nd  A.  D  u))  E 

where  E  =  r£n  :  nd  A  and  D  =  (Au:nd  rAT  rD"1)  :  nd  A  ->  nd  B.  The  derivation  on 
the  right-hand  side  can  be  written  more  succinctly  as  [£/u]V.  Compositionality  of 
the  representation  (Theorem  3.2,  part  3)  and  ^-conversion  in  LF  yield 

r[£/u)V n  =  [reyt z]r£H  =  (Au:nd  r>T.  rV^)  r<T\ 


Thus  the  representation  of  the  right-hand  side  will  be  definitionally  equal  to  D  E 
and  we  can  formulate  the  rule  concisely  as 
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redLimp  :  impe  (impi  (Aurnd  A.  Du))  E  =>R  D  E. 

Negation .  This  is  similar  to  implication.  The  required  substitution  of  C  for  p  in  V 
is  implemented  by  application  and  /^-reduction  at  the  meta-level. 

- u 

\ *  A 

V 

b  p 

- ,P’ U 

^A 

P  C 

redLnot  :  note  (noti  (Ap:o.  Au:nd  A,  D  p  u))  C  E  =>R  D  C  E. 

Universal  quantification.  The  universal  introduction  rule  involves  a  parametric 
judgment.  Consequently,  the  substitution  to  be  carried  out  during  reduction  re¬ 
places  a  parameter  by  a  term. 

V 

\ -  [a/x]A 

— - VP 

!*  Vx.A 

- - VE 

^  [t/x]A 

In  the  representation  we  once  again  exploit  the  compositionality. 

r[t/a}V^  =  [rfl/a]rPn  =  (Aa:i.  rPn)  rf 

This  gives  rise  to  the  declaration 

redLforall  :  foralle  (foralli  (Aa:i.  Da))  T  ==>R  D  T. 

The  adequacy  theorem  states  that  canonical  LF  objects  of  type  rTP  =>R  rX>/_l 
constructed  over  the  appropriate  signature  and  in  an  appropriate  parameter  context 
are  in  bijective  correspondence  with  derivations  of  V  =>R  Vf .  We  leave  the  precise 
formulation  and  simple  proof  to  the  diligent  reader. 

The  encoding  of  the  local  expansions  employs  the  same  techniques.  We  summarize 
it  below  without  going  into  further  detail. 

=>E  :  nd  A  -4  nd  A  -»>  type. 

expLimp  :  UD:nd  ( A  imp  B).D  =>E  impi  (Au;nd  ^4.impe  D  u) . 
expl.not  :  ILD:nd  (not  A).D  =>E  noti  (Ap:o.Au:nd  A.  note  D  p  u) . 
expLforall  :  ILD:nd  (forall  (Aarri.A  x)).D  foralli  (Aa:i. foralle  D  a). 

In  summary,  the  representation  of  higher-level  judgments  continues  to  follow  the 
judgments- as- types  technique.  The  expressions  related  by  higher- level  judgments  are 
now  deductions  and  therefore  dependently  typed  in  the  representation.  Substitution 


[t/a]V 

[t/x}A 
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at  the  level  of  deductions  is  implemented  by  /7-reduction  at  the  meta-level,  taking 
advantage  of  the  compositionality  of  the  representation.  Further  examples  of  higher- 
level  judgments  can  be  found  in  Section  5. 


4.  Meta-programming  and  proof  search 

An  important  motivation  underlying  the  development  of  logical  frameworks  is  to 
factor  the  effort  required  to  build  a  theorem  proving  environment  for  specific  logics. 
The  idea  is  to  build  one  generic  environment  for  deriving  judgments  in  the  logical 
framework  and  use  this  for  particular  logical  systems  whose  judgments  are  specified 
in  the  framework.  Each  logic  is  still  likely  to  require  a  significant  amount  of  devel¬ 
opment,  but  the  goal  is  to  reduce  this  effort  as  much  as  possible.  Furthermore,  by 
offering  a  high-level  notation  for  the  judgments  of  an  object  logic,  one  can  increase 
the  confidence  in  the  correctness  of  an  implementation,  especially  if  the  framework 
offers  a  notation  for  derivations  independent  of  proof  search.  The  practical  evidence 
gathered  through  many  experiments  with  Isabelle  in  a  variety  of  logics  indicates 
that  this  is  indeed  feasible  and  fruitful. 

This  raises  two  related  questions:  which  are  the  common  concepts  in  theorem 
proving  shared  among  different  logics,  and  how  do  we  perform  search  in  the  logical 
framework?  We  concentrate  on  the  latter  question  in  the  hope  that  the  almost 
universal  applicability  of  the  ideas  becomes  apparent. 


4-L  Sequent  calculus 

Many  forms  of  proof  search  are  based  on  sequent  calculi.  A  sequent  generally  has 
the  form  J  J  where  J  is  a  context  of  available  labelled  hypotheses  u\  :: 
J\, .  •  .,un  ::  Jn  and  J  is  the  judgment  we  are  trying  to  derive.  This  is  just  a  less 
cumbersome  notation  for  hypothetical  judgments  as  introduced  in  Section  3.1.  We 
refer  to  each  as  an  antecedent  and  J  as  the  succedent  of  the  sequent. 

Fully  automatic  theorem  proving  for  practically  interesting  logics  is  rarely  feasi¬ 
ble,  so  framework  implementations  such  as  Isabelle  are  based  on  partially  automated 
search.  In  this  case,  it  is  most  intuitive  to  think  of  the  construction  of  a  derivation 
as  proceeding  bottom-up,  where  a  sequent  J  =>  J  represents  the  goal  of  deriving 
J  from  J .  We  describe  the  possible  goal  reductions  in  the  form  of  inference  rules  for 
the  sequent  judgment.  Since  this  view  of  search  is  a  shared  feature  between  many 
different  logics,  it  is  natural  to  base  the  generic  search  in  the  logical  framework 
on  the  same  principle,  thereby  directly  supporting  this  view  for  a  variety  of  object 
logics.  The  use  of  sequents  for  the  top-down  construction  of  derivations  is  the  basis 
of  the  inverse  method  discussed  in  Chapter  IX. 

We  describe  here  a  sequent  calculus  for  LF.  A  substantially  similar  and  slightly 
simpler  presentation  can  be  given  for  hereditary  Harrop  formulas  and  related  log¬ 
ical  frameworks.  The  formulation  below  is  based  on  work  by  Pym  and  Wallen 
[1990,  1991].  The  presentation  of  LF  motivated  in  Section  3.4  and  summarized  in 
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Section  7  is  highly  economical  in  that  the  simple  function  type  A  — >  B  is  consid¬ 
ered  an  abbreviation  for  a  dependent  function  type  Ux:A.  B  where  x  does  not  occur 
in  B.  During  search,  however,  these  two  are  treated  differently:  A  — >  B  behaves 
like  an  implication,  while  Ux:A.  B  behaves  like  a  universal  quantifier.  Already  in 
the  description  of  our  representation  technique  we  have  informally  distinguished 
between  them:  A  B  corresponded  to  a  hypothetical  judgment  while  Ux:A.  B 
corresponded  to  a  parametric  judgment.  Our  sequents  have  the  form 

M  :  A 

where  T  is  a  context  of  parameter  declarations  and  hypotheses  and  M  is  a  proof 
term  for  A.  During  search  we  think  of  T  and  A  as  given,  while  M  is  filled  in  when 
a  proof  succeeds.  We  fix  a  signature  E  which  encodes  the  expressions  and  inference 
rules  of  the  object  language  under  consideration  and  omit  it  from  the  judgment 
since  it  never  changes.  We  maintain  the  following  invariants: 

1.  hr  ctx 

2.  F  h  A  :  type 

3.  T  b  M  :  A 

We  use  h  to  range  over  either  a  constant  c  declared  in  E  or  variable  declared  in  I\ 
We  have  initial  sequents  and  so-called  right  and  left  rules  for  each  type  constructor 
(~>  and  II). 


Initial  sequents.  We  have  solved  a  goal  if  a  hypothesis  matches  the  succedent,  mod¬ 
ulo  definitional  equality. 


h\A!  in  E  or  T  T  b  A'  =  A  :  type 


T^h-.A 


■  init 


Hypothetical  judgments.  To  derive  the  representation  A  — >  B  of  a  hypothetical 
judgment,  we  simply  introduce  a  hypothesis  A  with  a  new  label  u. 

T,u:AM-M  :  B 

- >RU 

T  \u:A.  M  :  A->  B 


If  we  have  an  assumption  A  ->  B  we  are  allowed  to  assume  B  if  we  can  derive  A. 
The  conclusion  C  does  not  change  in  this  rule. 

h-.A  -¥  B  in  E  or  T  r  =>  M  :  A  T,u:BM>N:C 


T^>[(hM)/u}N:C 


>LU 
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Parametric  judgments.  To  derive  the  representation  Tlx:  A.  B  of  a  parametric  judg¬ 
ment,  we  simply  introduce  a  new  parameter  (for  convenience  also  called  x). 

r,  x'.A  M  :  B 

- URX 

r  A x:A.  M  :  Ux:A.  B 


To  use  a  parametric  assumption  Tlx: A.  B  we  instantiate  x  with  an  object  of  the 
correct  type. 


h:Ux:A.  B  in  £  or  T  T  h  M  IT  A  T,  u:[M/x)B  :C 

T  M>[(hM)/u)N  :C 


n  Lu 


Note  that  we  fall  back  on  the  ordinary  typing  judgment  for  LF  to  check  that  the 
substitution  term  M  is  well-typed  in  the  appropriate  context.  The  calculus  is  stated 
above  is  sound  and  complete,  as  shown  by  Pym  and  Wallen  [1991].  As  usual,  we 
assume  a  fixed  valid  signature  £  and  that  T  is  valid  in  £. 


4.1.  Theorem  (Properties  of  LF  sequent  calculus). 

1.  IfT  M  :  A  then  T  h  M  :  A. 

2.  IfThM  fr  A  then  T  ^  M  :  A. 

Proof.  The  first  property  is  easy  to  see  by  induction  on  the  sequent  derivation. 
The  second  can  be  proved  by  induction  on  the  definition  of  canonical  forms,  after 
appropriate  generalization  for  atomic  forms  (defined  in  Section  7).  □ 

We  can  sharpen  this  theorem  if  we  restrict  initial  sequents  to  atomic  types  P.  In 

T  P 

that  case  T  =>  M  :  A  implies  that  T  b  M  ft*  A  (see  [Pinto  and  Dyckhoff  1998]). 
The  additional  rule  of  Cut  which  is  sometimes  allowed  in  sequent  calculi  plays  a 
special  role.  It  corresponds  to  the  introduction  of  a  lemma  during  proof  search, 
which  is  very  difficult  to  automate.  Its  discussion  is  left  to  Section  4.5. 

When  constructing  a  sequent  derivation  upwards  from  the  conclusion,  one  is 
confronted  with  a  variety  of  choices.  In  particular,  we  have  to  decide  which  rule  to 
apply  and,  for  the  left  rules,  which  hypothesis  to  use.  Usually  one  takes  advantage 
of  additional  properties  of  the  logic  to  eliminate  some  of  the  choices.  For  example, 
in  the  sequent  calculus  for  LF  the  conclusion  of  ~)R  is  derivable  if  and  only  if  the 
premise  is  derivable.  Therefore  it  is  always  safe  to  apply  this  rule  when  the  succedent 
has  the  form  A  B.  Implementations  of  logical  frameworks  take  advantage  of  such 
inversion  properties  to  eliminate  non-determinism  in  search.  However,  some  choices 
clearly  will  always  remain — they  have  to  be  addressed  either  via  user  interaction  or 
some  form  of  meta-programming.  This  is  the  topic  of  the  next  section. 
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4.2.  Tactics  and  tacticals 

In  this  section  we  address  the  question  which  choices  arise  during  search  within 
a  sequent  calculus,  and  how  the  non-determinism  inherent  in  these  choices  can  be 
resolved.  We  assume  a  meta-level  control  structure  of  so-called  tactics  and  tacticals. 
As  a  first  approximation,  a  tactic  transforms  a  partial  proof  structure  with  some 
unproven  leaf  sequents  to  another,  while  a  tactical  is  a  (higher-order)  function  to 
combine  tactics  to  form  more  complex  tactics.  At  the  top  level,  the  user  can  choose 
which  tactic  to  apply,  and  which  unproven  sequent  to  apply  it  to.  We  analyze  the 
structure  of  tactics  and  tacticals  in  more  detail  when  discussing  the  kind  of  choices 
they  have  to  resolve. 

Tactics  and  tacticals  arose  out  of  the  LCF  theorem  proving  effort  [Gordon 
et  al.  1979,  Paulson  1983]  and  are  used  in  such  diverse  systems  as  HOL  [Gordon  and 
Melham  1993],  Nuprl  [Nuprl  1999,  Constable  et  al.  1986],  Coq  [Coq  1999,  Paulin- 
Mohring  1993],  Isabelle  [ Isabelle  1998,  Paulson  1994],  and  AProlog  [A Prolog  1997, 
Nadathur  and  Miller  1988,  Felty  1993].  In  all  but  AProlog,  they  are  programmed  in 
ML  which  was  originally  developed  to  support  theorem  proving  for  LCF.  Correct¬ 
ness  for  tactics  is  ensured  dynamically  through  data  abstraction.  The  basic  idea  is 
that  at  the  core  of  the  implementation  is  an  abstract  type  of  Theorem  with  con¬ 
structors  which  implement  and  check  the  correct  application  of  the  primitive  rules 
of  inference  for  a  judgment.  Since  the  type  is  abstract,  only  the  given  rules  can 
be  used,  thereby  reducing  the  correctness  problem  for  a  complex  theorem  proving 
environment  to  the  correctness  of  the  implementation  of  the  basic  inference  rules. 

In  a  logical  framework  with  dependent  types  the  correctness  of  deductions  may 
instead  be  enforced  by  type-checking  alone,  as  we  have  seen  in  Section  3.4.  We 
therefore  skip  more  detailed  discussion  of  the  validation  of  tactics  and  consider  how 
they  deal  with  choices  that  arise  during  search  in  a  sequent  calculus.  In  the  ELAN 
logical  framework  [ELAN  1998,  Borovansky  et  al.  1998]  the  strategy  language  has 
independent  status,  rather  than  being  embedded  in  a  general-purpose  functional 
language  such  as  ML.  Besides  individual  tactic  combinators  to  address  various 
aspects  of  search,  tactic  languages  provide  general  mechanism  for  composition  of 
tactics  and  iteration  or  recursion. 


Conjunctive  choice .  A  conjunctive  choice  arises  when  a  sequent  rule  has  several 
premises.  Each  of  these  premises  must  be  derived  to  derive  the  conclusion.  The 
rule  has  this  character:  to  derive  the  judgment  C  we  derive  A,  and  also  C 
under  the  additional  hypothesis  B .  A  tactic  can  choose  any  unproven  leaf  from  a 
partial  proof  structure  to  work  on,  usually  the  leftmost  pending  sequent.  Tactic 
languages  provide  a  tactical  MAP  such  that  MAP  t  is  a  tactic  which  applies  t  to  all 
pending  sequents  in  turn.  In  an  interactive  setting  the  user  can  navigate  between 
unproven  sequents. 


Disjunctive  choice .  A  disjunctive  choice  arises  when  there  are  several  rules  which 
could  be  applied,  or  several  different  ways  in  which  a  particular  rule  might  be 


38 


Frank  Pfenning 


applied.  For  example,  in  the  rule  we  have  to  pick  a  hypothesis  h:A  -»  B  from 
E  or  T  when  there  may  be  several  such  assumptions.  When  tactics  are  employed 
for  proof  search,  this  is  handled  by  backtracking.  A  tactic  may  apply  sequent  rules 
(from  the  bottom  up)  to  reduce  an  unproven  sequent,  or  it  might  fail  Failure  for 
a  tactic  to  apply  signals  that  an  alternative  should  be  tried  for  an  earlier  choice. 
In  the  language  of  tacticals  this  is  expressed  with  the  0REL5E  combinator.  The 
tactic  t\  ORELSE  £2  tries  to  apply  £1  and  returns  its  result  if  successful.  If  £1  fails 
it  tries  to  apply  £2  instead  and  returns  its  result.  In  particular,  if  £2  also  fails,  then  ti 
ORELSE  £2  tails.  We  refer  to  this  as  shallow  backtracking  because  when  £1  succeeds 
the  alternative  £2  will  never  be  reconsidered.  We  discuss  deep  backtracking  below, 
when  we  examine  the  interaction  between  disjunctive  choice  and  met  a- variables. 

Universal  choice.  This  arises,  for  example,  in  the  URa  rule  where  we  have  to  choose 
a  new  parameter  a.  Since  the  only  relevant  criterion  is  that  a  is  new,  this  does  not 
lead  to  any  undesirable  non-determinism:  any  new  a  suffices. 

Existential  choice.  This  arises  when  we  have  to  pick  a  term  as,  for  example,  the 
object  M  in  the  rule  IIL.  Early  implementations  of  tactics  typically  either  guessed 
a  plausible  term  or  required  the  user  to  supply  it.  Since  there  often  are  an  infinite 
number  of  choices,  more  recent  implementations  usually  postpone  a  commitment 
until  further  search  uncovers  information  about  which  terms  might  lead  to  a  suc¬ 
cessful  derivation.  We  achieve  this  postponement  by  using  a  place-holder  X  for  M, 
called  a  meta-variable  or  logical  variable.  In  order  to  guarantee  soundness  when 
meta- variables  are  instantiated  we  record  its  type  Ax  and  the  context  Tx  which 
contains  the  parameters  which  are  allowed  to  occur  in  the  instantiation  term  for 
X.  The  latter  constraint  on  X  replaces  Skolemization  as  used  in  classical  first-order 
theorem  proving,  which  does  not  work  for  all  object  logics  and  would  therefore  be 
a  poor  choice  in  a  logical  framework. 

Postponed  existential  choices  are  resolved  when  initial  sequents  are  reached. 
Rather  then  check  if  a  hypothesis  matches  the  succedent  modulo  definitional  equal¬ 
ity,  we  have  to  decide  if  there  is  a  way  to  instantiate  the  meta- variables  in  a  hypoth¬ 
esis  and  the  succedent  so  that  the  resulting  judgments  are  definitionally  equal.  This 
problem  is  called  unification  and  discussed  in  the  Section  4.3  and  in  more  detail  in 
Chapter  XIV.  The  introduction  of  meta- variables  into  search  also  interacts  strongly 
with  conjunctive  and  disjunctive  choices,  which  we  now  revisit. 

Conjunctive  choice  with  meta-variables.  Met  a- variables  may  be  shared  among  sev¬ 
eral  unproven  leaf  sequents.  Since  unification  instantiates  these  variables  globally 
in  a  partial  proof  structure,  the  order  in  which  unproven  sequents  are  reduced  is  no 
longer  irrelevant.  Tactics  have  to  be  aware  of  this  interaction,  although  there  are 
no  simple  and  general  recipes. 

Disjunctive  choice  with  meta-variables.  Deriving  an  unproven  sequent  often  requires 
a  commitment  to  a  particular  instantiation  for  met  a- variables  as  determined  by  uni- 
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fication  at  the  leaves.  This  commitment  could  make  it  impossible  to  derive  another 
sequent  which  shares  some  of  the  met  a- variables.  This  means  that  even  after  suc¬ 
cessfully  deriving  a  particular  sequent,  we  might  have  to  reexamine  the  choices 
made  during  this  derivation  in  case  another  sequent  turns  out  to  be  unprovable. 
This  leads  to  deep  backtracking  which  revisits  disjunctive  choices  even  though  an 
alternative  had  previously  been  successful. 

Under  the  simplified  functional  model  for  tactics  introduced  above,  a  tactic  re¬ 
turns  either  no  result  (it  fails)  or  a  single  result  (the  new  partial  proof  structure). 
Deep  backtracking  requires  that  a  tactic  can  return  a  potentially  unbounded  number 
of  alternatives,  where  zero  alternatives  indicate  failure.  This  can  be  done  by  using 
a  lazily  computed  sequence  of  alternatives  which  can  be  incrementally  expanded  as 
necessary  during  backtracking.  The  Isabelle  logical  framework  implementation  uses 
this  technique,  since  its  meta-programming  language  ML  is  functional.  In  ELAN 
the  operator  dk  (for  don’t  know  choose)  achieves  this  behavior. 

The  AProlog  and  Elf  implementations  provide  an  alternative  by  using  a  logic 
programming  interpretation  of  the  logical  framework  to  program  search.  Since  logic 
programming  inherently  supports  logical  variables,  unification,  and  deep  backtrack¬ 
ing,  significantly  less  machinery  is  needed  to  implement  tactics  (see  [Felty  1993]). 
On  the  other  hand,  don’t-care  non-determinism  requires  additional  programming 
or  extra-logical  constructs  such  as  the  cut  operator  since  the  operational  in¬ 
terpretation  of  logic  programs  is  based  on  don’t-know  non-determinism.  We  come 
back  to  this  in  Section  4.4. 

We  use  t\  THEN  1 2  to  denote  the  sequential  composition  of  tactics  and  REPEAT 
t  for  the  iterator  which  applies  t  until  it  fails  and  then  returns  the  last  result. 
REPEAT  t  is  an  example  of  an  unfailing  tactic  which  always  succeeds,  though 
subgoals  may  of  course  remain.  The  interaction  of  possibly  failing  and  unfailing 
tactics  is  one  of  the  difficulties  in  tactic  programming. 

As  a  simple  example,  assume  we  have  basic  tactics  Init,  ArrowR,  and  PiR  which 
apply  the  rules  init,  —>R  and  IIjR,  respectively.  Then  the  tactic 
Right*  =  REPEAT  (ArrowR  ORELSE  PiR  ORELSE  Init) 
repeatedly  applies  the  right  rules  to  a  sequent  until  the  succedent  is  atomic.  The 
atomic  goal  is  solved  if  it  unifies  with  a  hypothesis;  otherwise  it  remains  as  a  subgoal. 
This  tactic  is  safe ,  that  is,  if  the  original  sequent  is  derivable,  the  resulting  sequent 
will  still  be  derivable.  Right*  is  safe,  despite  the  fact  that  we  use  a  committed  choice 
tactical  ORELSE,  since  the  right  rules  of  the  sequent  calculus  for  An  are  invertible: 
the  premise  is  derivable  if  and  only  if  the  conclusion  is  derivable.  The  interaction 
of  safe  and  unsafe  tactics  is  another  complicated  aspect  of  tactic  programming. 


4.3.  Unification  and  constraint  simplification 

As  sketched  above,  unification  is  a  central  and  indispensable  mechanism  in  tradi¬ 
tional  first-order  theorem  provers  and  logic  programming  languages.  It  allows  the 
search  algorithm  to  postpone  existential  choices  until  more  information  becomes 
available  about  which  instances  may  be  useful.  Most  logical  frameworks  go  beyond 
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first-order  terms  in  two  ways:  they  employ  types  and  they  employ  A-abstraction. 
Consequently,  first-order  unification  is  insufficient.  In  this  section  we  briefly  re¬ 
view  the  aspects  of  higher-order  unification  most  relevant  to  the  practice  of  logical 
frameworks.  For  more  information  see  Chapter  XIV. 

One  can  identify  the  simply-typed  A-calculus  (A-*)  as  motivated  in  Section  2.2 
as  an  important  base  language.  Fortunately,  definitional  equality  (/^-conversion)  is 
decidable.  On  the  other  hand,  the  general  unification  problem  is  undecidable  [Huet 
1973]  even  for  the  second-order  fragment  [Goldfarb  1981],  and  most  general  unifiers 
may  not  exist.  To  appreciate  some  of  the  problems  of  higher-order  unification, 
consider  the  equation 

(\x:\.  F  (sx))  —  (Ax:i.  s  {F x)) 

where  s:  i  — M  is  a  constant,  and  F  is  a  meta- variable  we  are  trying  to  solve  for. 
Note  that  F  itself  may  not  contain  free  occurrences  of  x  according  to  the  definition 
of  capture  avoiding  substitution.  There  are  infinitely  many  different  solutions  for 
F,  namely 

(Ay:i.s  . . .  (s  y)) 

for  any  number  of  applications  of  s,  including  zero. 

Despite  the  undecidability,  Huet  [1975]  devised  a  practical  algorithm  for  higher- 
order  pre-unification ,  a  form  of  unification  which  postpones  certain  solvable  equa¬ 
tions  instead  of  enumerating  their  solutions.  The  resulting  semi-decision  procedure 
is  non-deterministically  complete,  that  is,  if  there  is  a  unifier  a  less  committed  pre¬ 
unifier  can  in  principle  always  be  found.  Moreover,  when  used  to  compute  multiple 
solutions,  it  is  guaranteed  to  enumerate  non-redundant  pre-unifiers  to  a  given  set 
of  equations.  With  the  addition  of  a  modified  version  of  the  occurs-check,  it  coin¬ 
cides  with  first-order  unification  when  called  on  first-order  terms.  Huet’s  algorithm 
has  been  used  extensively  in  AProlog  and  Isabelle  and  generally  seems  to  have 
good  computational  properties.  Both  languages  must  therefore  manage  constraints 
during  search  or  execution  of  programs  [Kirchner,  Kirchner  and  Vittek  1993]. 

The  practical  success  of  Huet’s  algorithm  seemed  to  be  in  part  due  to  the  fact  that 
difficult,  higher-order  unification  problems  rarely  arise  in  practice.  An  analysis  of 
this  observation  led  Miller  [1991]  to  discover  higher- order  patterns,  a  sublanguage  of 
the  simply-typed  A-calculus  with  restricted  variable  occurrences.  For  this  fragment, 
most  general  unifiers  exist.  In  fact,  the  theoretical  complexity  of  this  problem  is 
linear  [Qian  1993],  just  as  for  first-order  unification.  Miller  proposed  it  as  the  basis 
for  a  lower-level  language  L\  similar  to  AProlog,  but  one  where  unification  does 
not  branch  since  only  higher-order  patterns  are  permitted  as  terms.  An  empirical 
study  of  this  restriction  by  Michaylov  and  Pfenning  [1992,  1993]  showed  that  most 
dynamically  arising  unification  problems  lie  within  this  fragment,  while  a  static 
restriction  rules  out  some  useful  programming  idioms. 

The  Elf  language  therefore  makes  no  syntactic  restriction  to  higher-order  pat¬ 
terns,  nor  does  it  use  Huet’s  algorithm  for  higher-order  unification  as  generalized  to 
An  (discovered  independently  by  Elliott  [1989, 1990]  and  Pym  [1990, 1992]).  Instead, 
it  employs  a  constraint  solving  algorithm  [Pfenning  1991a,  Pfenning  19916,  Dowek, 
Hardin,  Kirchner  and  Pfenning  1996]  where  unification  problems  within  the  decid- 
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able  fragment  proposed  by  Miller  are  solved  directly,  while  all  others  (solvable  or 
not)  are  postponed  as  constraints.  This  can  drastically  reduce  backtracking  com¬ 
pared  to  higher-order  pre-unification  and  imposes  no  restrictions  on  variable  oc¬ 
currences.  On  the  other  hand,  unsolvable  constraints  may  remain  until  the  end 
of  the  computation,  in  which  case  the  answer  is  conditional:  Each  solution  to  the 
remaining  constraints  gives  rise  to  a  solution  of  the  original  equations,  and  each 
solution  to  the  original  equations  will  be  an  instance  of  the  remaining  constraints. 
In  most  practical  applications,  these  somewhat  weaker  soundness  and  completeness 
theorems  are  sufficient. 


4-4-  Logic  programming 

Logic  programming  offers  a  different  approach  to  meta-programming  in  a  log¬ 
ical  framework  than  ML  or  a  separate  strategy  language.  Rather  than  meta¬ 
programming  in  a  language  in  which  the  logical  framework  itself  is  implemented 
(typically  ML),  we  endow  the  logical  framework  with  an  operational  interpretation 
in  the  spirit  of  Prolog.  It  should  be  clear  that  a  specification  of  a  logic  under  this 
approach  does  not  automatically  give  rise  to  a  theorem  prover,  but  that  theorem 
provers  may  be  programmed  in  the  meta-language.  Two  frameworks  to  date  have 
pursued  this  approach:  AProlog  [A Prolog  1997,  Nadathur  and  Miller  1988],  which 
gives  an  operational  interpretation  of  hereditary  Harrop  formulas,  and  Elf  [Pfenning 
and  Schiirmann  19986,  Pfenning  1994a],  which  gives  an  operational  interpretation 
to  An. 

In  logic  programming  the  basic  computational  mechanism  is  proof  search  follow¬ 
ing  a  specific  search  strategy.  Since  the  search  strategy  is  fixed,  the  computational 
behavior  of  a  program  can  be  predicted  and  exploited  by  the  programmer.  This 
predictability  comes  at  the  price  of  completeness:  programs  may  never  terminate 
even  if  there  is  a  proof.  On  the  other  hand,  we  are  careful  to  preserve  at  least  weak 
completeness,  which  means  that  if  search  fails  then  no  proof  can  exist.  Thus  we 
can  rely  on  success  due  to  soundness  and  failure  due  to  weak  completeness,  while 
we  have  no  information  if  the  program  does  not  terminate.  This  summarizes  some 
essential  differences  between  logic  programming  and  general  theorem  proving. 

The  idea  of  logical  framework  implementations  such  as  AProlog  and  Elf  is  to 
use  the  operational  reading  of  specifications  to  implement  algorithms  for  proof 
search  and  related  problems.  In  many  cases,  the  original  specification  itself  can 
be  used  algorithmically.  For  example,  a  natural  semantics  specification  of  Mini- 
ML  [Hannan  1991,  Michaylov  and  Pfenning  1991]  can  be  used  directly  for  evaluation 
or  type-checking,  one  of  the  original  motivations  for  natural  semantics  [Kahn  1987, 
Hannan  1993]. 

We  base  our  operational  understanding  of  logic  programming  on  the  sequent 
calculus.  The  operational  interpretation  of  a  logical  specification  is  based  on  two 
principles:  goal-directed  search  [Miller  et  al.  1991]  and  focusing  [Andreoli  1992]. 
Goal-directed  search  expresses  that  we  always  first  apply  the  right  rules  bottom- 
up  to  derive  a  given  sequent  until  the  succedent  is  atomic.  An  atomic  succedent 
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should  now  result  in  an  analogue  to  procedure  call.  This  is  achieved  by  focusing  on 
a  particular  hypothesis  and  applying  a  succession  of  left  rules  until  it  is  atomic.  If 
it  then  happens  to  unify  with  the  atomic  succedent  we  next  attempt  to  derive  the 
pending  premises  of  the  left  rule;  otherwise  we  fail  and  backtrack.  In  a  slight  abuse 
of  terminology  we  refer  to  derivations  which  are  both  goal-directed  and  focused  as 
uniform.  If  every  derivable  judgment  has  a  uniform  derivation  we  claim  to  have 
an  abstract  logic  programming  language  because  search  following  this  operational 
specification  will  be  sound  and  weakly  complete. 

We  now  specify  uniform  derivations  more  concretely,  in  the  form  of  two  mutually 
recursive  judgments  for  LF. 

T  M  :  A  A  is  uniformly  derivable 

P  u\A  >  N  :  P  A  immediately  entails  P 

In  these  judgments,  M  and  N  are  proof  terms  for  A  and  P,  respectively.  In  the 
immediate  entailment  judgment,  A  is  the  hypothesis  we  have  focused  on  and  u  its 
label.  When  viewed  operationally,  we  think  of  T,  A  and  P  as  given,  while  M  and 
N  are  computed  together  with  the  derivation.  We  presuppose  and  maintain  the 
following  invariants: 

1.  hr  Ctx  in  both  judgments; 

2.  T  b  A  :  type  and 

3.  T  h  M  :  A  for  uniform  derivability,  and 

4.  T  b  P  :  type  and 

5.  T ,u:A  b  N  :  P  for  immediate  entailment. 

Actually,  the  restricted  form  of  search  guarantees  a  stronger  invariant,  namely  that 
M  is  always  canonical  and  N  always  atomic. 


Atomic  judgments. 


T  b  Q  =  P  :  type 


init 


u:Q  »  u  :  P 


h:A  in  E  or  T 


»  N  :  P 


cair 


[h/u]N  :  P 


Hypothetical  judgments . 

T ,u:A^M  :  B 

- -+RU 

T  ^  Au:A  M  :  A  ->  B 


r 


g  u^B  »  N  :  C  T^Mj_A 
r  ^  w.A  ->  B  »  [(wM)/u)N  :  C 


+LU 


Logical  frameworks 


43 


Parametric  judgments. 


T  9x:A^M:B 


■  URX 


Xx:A.  M  :  Ux:A.  B 


T\~  M  It  A  u:[M/x\B  >  N  :  C 

- n  lu 

r  ^  w:Ux:A .  B  >  [(w  M)/u]iV  :  C 

Uniform  derivations  are  sound  and  complete  with  respect  to  sequent  deriva¬ 
tions.  In  fact,  we  can  prove  a  stronger  theorem  that  there  is  a  bijection  between 
canonical  objects  M  of  a  given  type  A  and  the  objects  such  that  M  :  A 
is  derivable  [Pfenning  1991a,  Dyckhoff  and  Pinto  1994,  Pfenning  2001,  Pinto  and 
Dyckhoff  1998]. 

4.2.  Theorem  (Properties  of  LF  uniform  derivations). 

1.  IfT  =£  M  :  A  then  T  h  M  it  A. 

2.  IfT\-M  it  A  then  T  ^  M  :  A. 

Proof.  The  first  property  is  easy  to  see  by  induction  on  the  uniform  derivation. 
The  second  can  be  proved  by  induction  on  the  definition  of  canonical  forms,  after 
appropriate  generalization  for  atomic  forms  (see  [Pfenning  2001]).  An  alternative 
proof  examines  the  permutability  of  inference  rules  in  the  sequent  calculus  for  LF 
from  Section  4.1.  □ 

We  now  revisit  the  remaining  non- deterministic  choices  we  examined  in  the  dis¬ 
cussion  of  tactics  in  Section  4.2. 


Conjunctive  choice.  We  always  solve  the  subderivations  in  the  multiple  premise  rule 
— >L  from  left  to  right.  This  means  that  when  a  hypothesis  u:A  — »  (B  — >  C)  is  used 
to  derive  C,  the  first  subgoal  to  be  solved  is  B  and  the  second  A.  If  we  rewrite  the 
same  declaration  with  the  arrows  reversed,  we  obtain  u  :  (C  B)  <—  A  which  lends 
itself  to  a  natural  reading  as  a  labelled  program  clause  in  logic  programming.  Using 
the  convention  that  ”  is  left- associative,  we  can  write  this  even  more  concisely  as 
u  :  C  <-  B  <-  A.  It  is  important  to  derive  the  premises  of  in  this  order  since  we 
do  not  want  to  solve  subgoals  until  we  know  if  the  target  type  (C  in  the  example) 
matches  the  atomic  goal.  In  Prolog  terminology  conjunctive  choice  is  called  subgoal 
selection. 


Disjunctive  choice.  We  employ  deep  backtracking  as  indicated  in  Section  4.2.  Since 
only  one  inference  rule  applies  to  any  sequent,  disjunctive  choices  arise  only  in  two 
circumstances:  we  have  to  decide  which  constant  or  hypothesis  to  use  for  one  of 
the  call  rules,  and  unification  may  allow  more  than  one  possibility  (see  the  notes 
on  existential  choice  below).  We  first  try  constants  from  first  to  last  in  the  fixed 
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signature  E,  then  the  parameters  and  hypotheses  from  T  from  right  to  left  (the 
most  recently  introduced  hypothesis  is  tried  first). 

Universal  choice .  Just  as  before,  we  simply  introduce  new  parameters  or  hypothesis 
labels. 


Existential  choice.  In  the  IIL  rule  we  introduce  a  fresh  meta-variable  X,  record  F 
and  4  and  proceed.  When  we  try  to  complete  a  branch  of  the  derivation  with  the 
init  rule,  we  use  unification  instead  of  equality.  AProlog  employs  Huet’s  unification 
algorithms  to  enumerate  pre-unifiers,  while  Elf  uses  constraint  simplification  based 
on  patterns  [Dowek  et  al.  1996]. 

To  illustrate  uniform  derivations  we  reconsider  the  example  at  the  end  of  Sec¬ 
tion  3.2  with  its  encoding  in  LF  from  Section  3.4.  We  omit  the  proof  terms  for  the 
sake  of  brevity. 

•  =>  UA:o.  nd(4  imp  not  not  A) 

II Ra  which  leaves 

A: o  nd(4  imp  not  not  A) 

call  with  impi  which  leaves 

4:o  (II4:o.  UB:o.  (nd(4)  — >  nd(L))  — >  nd(4  imp  B ))  >  nd(4  imp  not  not  4) 

IIL  with  A  which  leaves 

-4:o  (IIL:o.  (nd(4)  — >  nd(L?))  ->  nd(4  imp  B))  »  nd(4  imp  not  not  4) 

IIL  with  not  not  A  which  leaves 

A: o  ((nd(4)  -»  nd(notnot4))  ->  nd(4  imp  not  not  4))  »  nd(4  imp  not  not  4) 

— >L  which  leaves  two  subgoals 

4:o  S  nd(4  imp  not  not  4)  >  nd(4  imp  not  not  4) 
init  which  is  solved,  leaving  one  subgoal 

4:o  nd(4)  nd(not  not  4) 


In  the  remainder  we  omit  the  immediate  entailment  steps. 


A:o  nd(4)  — >  nd(not  not  4) 

4:o,  u:nd(4)  nd(not  not  4) 

4:o,  u:nd(4)  ^  Up:o.  (nd(not  4)  ->  nd(p)) 
4:o,  u:nd(4),p:o  (nd(not4)  — >  nd (p)) 
4:o,u:nd(4),p:o,it;:nd(not4)  nd (p) 

4:o,  u:nd(4),p:o, u?:nd(not  4)  nd(not4) 

4:o,  u:nd(4),p:o, u>:nd(not4)  nd(4) 


->RU 

call  with  noti 
TUP 

->RW 

call  with  note,  leaving  subgoals 
call  with  w,  solved,  and 
call  with  u,  solved 


To  compute  the  proof  term  we  proceed  through  the  sequents,  assigning  proof 
terms  at  each  step.  At  the  root,  this  yields  the  sequent 
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A:o  (impi  (Aitrnd  A.  noti  (Ap:o.  Aw:nd  (not  A),  note  w  p  u ))) 

:  nd  ( A  imp  not  not  .4) . 

There  are  some  advantages  and  some  disadvantages  to  the  logic  programming 
approach  to  meta-programming.  Perhaps  the  most  important  advantage  is  unifor¬ 
mity  of  language  for  specification  and  implementation.  Specific  algorithms  such  a 
evaluation,  type  inference,  or  certain  theorem  proving  strategies  can  easily  be  im¬ 
plemented  at  a  very  high  level.  On  the  other  hand,  the  logic  programming  paradigm 
does  not  lend  itself  very  well  to  interactive  theorem  proving  since  the  state  of  the 
search  and  user  commands  are  inherently  imperative  in  nature.  In  AProlog  this  is 
addressed  with  extra-logical  constructs  which  augment  the  logical  foundation,  just 
as  Prolog  extends  Horn  logic  in  numerous  ways.  Furthermore,  the  current  state 
of  the  art  in  implementation  of  AProlog  is  such  that  complex  tactics  or  decision 
procedures  can  be  much  faster  in  a  functional  meta-language.  An  ongoing  effort 
in  compiler  design  and  implementation  might  change  this  situation  in  the  near 
future  [Nadathur  and  Mitchell  1999].' 

Elf  remains  pure  and  is  therefore  difficult  to  use  for  interactive  theorem  proving. 
However  the  purity  of  the  language  has  an  important  benefit,  namely  that  we  can 
express  proofs  of  meta-theorems  to  a  certain  extent.  In  particular,  we  can  write 
meta-programs  in  Elf  which  translate  traces  of  a  search  algorithm  written  in  Elf  to 
deductions  as  specified  in  LF.  We  will  see  an  example  for  this  kind  of  application 
in  the  Section  5. 


4.5.  Theory  development 

In  practical  applications  one  is  usually  interested  in  more  than  just  proving  one 
theorem,  but  in  the  development  of  a  whole  theory  consisting  of  declarations,  defi¬ 
nitions,  lemmas,  and  theorems.  Moreover,  theories  are  often  organized  into  subthe¬ 
ories  related  in  a  variety  of  ways. 

At  the  most  fundamental  level,  the  logical  framework  calculus  LF  can  be  ex¬ 
tended  by  global  definitions  of  the  form  c:A  =  M  or  by  local  definitions  in  the  form 
let  x:A  —  M  in  N.  These  can  be  viewed  as  either  introducing  syntactic  abbrevia¬ 
tions  (if  the  type  A  represents  a  syntactic  category)  or  introducing  a  derived  rule 
A  with  derivation  M  (if  the  type  A  represents  a  judgment).  One  can  either  view 
such  an  extension  as  semantically  completely  transparent  so  that  the  let  above  is 
treated  as  syntactic  sugar  for  (A x:A.  N)M,  or  one  can  introduce  a  new  typing  rule 

r  h  M  :  A  T,  x:A  \~  N  :  C 

- let 

T  h  let  x:A  =  M  in  N  :C 

and  a  new  rule  of  definitional  equality 


let  x:A  =  M  in  N  =  [M/x)N. 
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The  canonical  form  theorem  and  decidability  of  type-checking  continue  to  hold, 
but  the  search  operations  underlying  both  tactics  and  logic  programming  are  com¬ 
plicated.  The  problem  is  that  expansion  of  all  definitions  is  rarely  feasible,  while 
not  expanding  them  jeopardizes  weak  completeness.  A  solution  of  this  problem 
for  LF  based  on  a  simple  form  of  strictness  analysis  is  proposed  in  [Pfenning  and 
Schiirmann  1998a]. 

In  the  sequent  calculus,  the  introduction  of  a  lemma  into  the  derivation  during 
search  corresponds  to  an  application  of  the  cut  rule. 

r  ,u:A^N:C 

- - - Cutu 

r  let  U-.A  =  M  in  N  :  C 

One  could  also  choose  the  proof  term  [M/u\N  in  the  conclusion  in  order  to  avoid 
a  language  extension.  The  cut  rule  for  LF  is  admissible ,  which  means  that  any 
instance  of  this  rule  can  be  eliminated  from  a  derivation. 

For  further  discussion  of  modularity  mechanisms  in  logical  frameworks,  see  Sec¬ 
tion  8.1. 


5.  Representing  meta-theory 

Logical  frameworks  are  designed  to  admit  a  direct  and  natural  representation  of 
deductive  systems  at  a  very  high  level  of  abstraction.  In  Section  3  we  showed  that 
checking  the  validity  of  a  derivation  can  be  reduced  to  type-checking  in  the  frame¬ 
work  which  is  decidable.  In  Section  4  we  indicated  how  generic  ideas  for  proof 
search  in  a  logical  framework  can  support  theorem  proving  in  particular  logics, 
and  how  a  logic  programming  interpretation  of  a  framework  can  be  used  for  the 
implementation  of  specific  algorithms  related  to  deductive  systems. 

This  leaves  the  question  if  we  can  take  advantage  of  the  conciseness  and  elegance 
of  the  encodings  to  also  mechanize  the  meta-theory  of  deductive  systems.  For  exam¬ 
ple,  we  might  want  to  prove  that  the  natural  deduction  formulation  of  intuitionistic 
logic  in  Section  3.2  and  the  axiomatic  formulation  in  Section  3.5  have  the  same  the¬ 
orems.  Other  examples  from  the  area  of  logic  include  admissibility  of  inference  rules 
such  as  cut  in  a  sequent  system,  or  the  correctness  of  logical  interpretations.  In  the 
area  of  programming  languages  we  think  of  properties  such  as  type  preservation, 
correctness  of  type  inference  algorithms,  or  compiler  correctness. 

The  answer  is  a  qualified  “yes” .  Some  frameworks  such  as  FSo  are  specifically  de¬ 
signed  for  meta-theoretic  reasoning,  but  they  give  up  techniques  such  as  static  proof 
checking,  higher-order  abstract  syntax,  or  hypothetical  judgments  as  functions.  As 
we  explain  below,  there  are  some  difficulties  with  encodings  utilizing  higher-order 
abstract  syntax  with  a  number  of  possible  solutions.  In  many  ways  the  potential  of 
logical  frameworks  for  meta-theoretic  reasoning  has  not  yet  been  fully  explored. 

Just  as  we  isolated  the  notions  of  variable  binding,  parametric,  and  hypothetical 
judgments  as  central  in  the  presentation  of  deductive  systems,  we  should  analyze 
the  proof  techniques  used  to  carry  out  the  meta-theory  of  deductive  systems  and 
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then  consider  how  a  framework  might  support  them.  By  far  the  most  common 
proof  technique  is  induction,  both  over  the  structure  of  expressions  and  derivations. 
Thus  one  naturally  looks  towards  frameworks  that  permit  inductive  definitions  of 
judgments  and  allow  the  corresponding  induction  principles.  Unfortunately,  there 
is  a  conflict  between  induction  and  the  representation  techniques  of  higher-order 
abstract  syntax  and  functional  representation  of  hypothetical  judgments.  The  issue 
is  complicated  further  by  dependent  types,  so  we  consider  first  the  implicational 
fragment  of  the  simply-typed  representation  of  deductions. 

nd  :  type 

impi  :  (nd  -»  nd)  — »  nd 

impe  :  nd  — »  nd  ->  nd 

Even  if  we  considered  the  above  signature  as  complete  (rather  than  open-ended), 
the  type  nd  would  not  be  inductively  defined  in  the  usual  sense,  because  of  the 
negative  occurrence  of  nd  in  the  type  of  impi.  Straightforward  attempts  to  formulate 
a  valid  induction  principle  for  the  type  nd  fail.  Informally,  at  least  one  difficulty 
is  clear:  when  we  try  to  prove  a  theorem  about  natural  deductions,  we  invariably 
have  to  generalize  over  all  possible  collection  of  hypotheses.  Since  they  are  not 
represented  explicitly  in  our  technique,  we  cannot  directly  formulate  the  required 
induction  proofs.  We  consider  an  example  below. 

There  is  a  further  difficulty  with  induction  in  the  framework  which  stems  from 
the  essential  open-endedness  of  representations.  For  example,  assume  we  declare 
constants  z  for  zero  and  s  for  successor  in  the  formulation  of  first-order  logic,  but  we 
do  not  assume  an  induction  principle  for  natural  numbers  in  our  object  logic.  If  the 
framework  permitted  an  induction  principle  over  the  representation  type  i,  we  would 
no  longer  have  an  adequate  encoding  of  first-order  logic  with  two  uninterpreted 
function  constants.  The  encoding  of  the  universal  introduction  rule, 

foralli  :  IL4:i  -»  o.  (IIa:i.  nd  ( A  a))  ->•  nd  (forall  A) 

now  represents  an  u>-rule,  since  objects  of  type  IIa:i.  nd  (A  a)  allow  case  analysis  on 
a  and  are  therefore  no  longer  necessarily  parametric  in  a.  Depending  on  the  strength 
of  the  induction  principle  in  the  met  a- language  we  would  be  able  to  derive  various 
propositions  in  the  object  language  that  are  not  actually  derivable  in  pure  first- 
order  logic  and  the  adequacy  of  the  representation  is  destroyed.  A  similar  problem 
already  arises  at  the  level  of  syntax  if  we  permit  primitive  recursion  into  the  logical 
framework. 

Several  options  have  been  explored  to  escape  this  dilemma.  The  first  is  to  reject 
the  notion  of  higher-order  abstract  syntax  and  use  inductive  representations  di¬ 
rectly  (see,  for  example,  [Matthews  et  al.  1993,  Basin  and  Constable  1993,  Feferman 
1988,  Magnusson  and  Nordstrom  1994]).  This  engenders  a  complication  of  the  en¬ 
coding  and  consequently  of  the  meta-theory,  which  now  has  to  deal  with  many 
lemmas  regarding  variable  naming.  This  can  be  alleviated  by  using  de  Bruijn  in¬ 
dices  [de  Bruijn  1972],  yet  formalizations  are  still  substantially  more  complex  than 
informal  proofs.  There  are  many  examples  of  formal  developments  along  these  lines. 
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A  second  possibility  is  to  relax  the  conditions  on  inductive  definitions,  which 
leads  to  partial  inductive  definitions  [Hallnas  1991],  They  allow  inversion  principles 
but  not  a  direct  generalization  of  proofs  by  induction.  Partial  inductive  definitions 
have  been  used  as  the  basis  for  a  logical  framework  [Hallnas  1987,  Eriksson  1993a], 
implemented  in  the  Pi  derivation  editor  [Eriksson  1994].  Their  potential  for  formal¬ 
izing  meta-theory  is  currently  being  explored  by  McDowell  and  Miller  [1997]  (see 
also  [McDowell  1997]);  more  on  their  approach  below. 

A  third  option  is  to  employ  reflection  with  some  restrictions  to  ensure  sound¬ 
ness.  In  [Despeyroux,  Pfenning  and  Schurmann  1997]  this  was  achieved  by  a 
modal  type  operator  satisfying  the  laws  of  S4.  However,  the  practicality  of 
these  and  some  related  proposals  [Despeyroux  and  Hirschowitz  1994,  Despey¬ 
roux,  Felty  and  Hirschowitz  1995,  Leleu  1998]  has  never  been  demonstrated.  Dif¬ 
ferent  reflection  mechanisms  have  been  employed  in  the  Calculus  of  Construc¬ 
tion  [Rueft  1996,  Ruefi  1997]  and  Nuprl  [Allen,  Constable,  Howe  and  Aitken  1990]. 
These  last  two  do  not  use  higher-order  abstract  syntax. 

A  fourth  option  is  to  externalize  the  induction.  This  leads  to  a  three-level  architec¬ 
ture:  the  object  logic,  the  logical  framework  in  which  it  is  specified,  and  a  meta-logic 
for  reasoning  about  the  logical  framework.  Variations  of  this  are  currently  pursued 
by  McDowell  and  Miller  [1997]  and  Schurmann  and  Pfenning  [1995,  1998].  In  prin¬ 
ciple,  any  meta-logic  could  be  used  for  reasoning  about  the  logical  framework,  but 
the  effort  required  to  develop  the  theory  of  the  framework  and  then  apply  it  to 
individual  signatures  would  be  prohibitive  unless  the  meta-logic  was  specifically 
designed  for  meta-theoretic  reasoning.  Briefly,  the  logic  of  McDowell  and  Miller  is 
based  on  definitional  reflection  [Schroeder-Heister  1993]  and  natural  number  in¬ 
duction,  while  that  of  Schurmann  and  Pfenning  admits  only  V3  formulas  where 
the  quantifiers  range  over  closed  LF  objects  and  uses  explicit  termination  order¬ 
ings  [Rohwedder  and  Pfenning  1996].  Recently,  this  approach  has  been  generalized 
by  Schurmann  [2000]. 

A  more  detailed  discussion  of  such  meta-logical  frameworks  is  beyond  the  scope 
of  this  chapter.  In  the  next  section  we  present  another  approach  where  the  meta¬ 
theory  is  only  partially  verified,  but  where  the  computational  contents  of  the  meta- 
theoretic  proofs  is  directly  available  for  execution. 


5.1.  Relational  meta-theory 

As  alluded  to  above,  it  is  difficult  to  soundly  extend  the  logical  framework  to  include 
induction.  However,  it  is  possible  to  encode  the  computational  contents  of  proofs 
of  meta-theoretic  properties  in  Elf  and  thereby  partially  verify  them.  Moreover, 
they  can  be  executed  for  a  number  of  different  purposes.  The  technique  employs 
higher-level  judgments  as  introduced  in  Section  3.6. 

As  an  example  we  consider  the  equivalence  between  natural  deduction  and  ax¬ 
iomatic  formulations  of  the  fragment  of  first-order  logic  introduced  in  Sections  3.2 
and  3,5.  In  one  direction  this  is  expressed  simply  as: 

If  K*  A  then  A. 
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Recall  that  formulas  A  are  represented  as  objects  of  type  o,  while  derivations  of  H5  A 
are  represented  by  objects  of  type  hi!  rAn  and  derivations  of  \r  A  as  objects  of  type 
nd  rAn.  Expressed  in  a  meta-logic  for  LF,  we  can  use  adequacy  of  the  encodings  to 
reformulate  the  theorem. 

For  any  LF  objects  A  :  o  and  H  :  hil  A  there  exists  an  LF  object  D  :  nd  A. 

If  we  ignore  the  issues  of  parameters  for  the  moment,  the  quantifiers  range  over 
closed  objects  with  respect  to  the  signature  that  encodes  natural  and  axiomatic 
formulations  of  intuitionistic  logic.  From  a  constructive  proof  of  this  proposition 
we  can  extract  a  function  which  maps  a  formula  A  and  a  derivation  of  A  to  a 
deduction  of  ^  A .  If  this  function  were  representable  in  the  logical  framework,  it 
would  have  type 


IIA:o.  hil  A  — »  nd  A. 

Since  the  proof  proceeds  by  induction  over  the  structure  of  the  axiomatic  derivation 
Ft  of  P*  A,  such  a  function  would  be  defined  by  induction  over  its  second  argument — 
something  the  framework  does  not  allow.  However,  we  can  specify  this  function  as 
a  higher-level  judgment  relating  Ft  and  the  natural  deduction  V.  This  higher-level 
judgment  is  declared  as  a  type  family  hilnd. 

hilnd  :  UA:o.  hil  A  -)>  nd  A  ->  type 

This  relation  can  be  specified  in  LF  and  executed  as  a  logic  program  in  Elf.  Queries 
have  the  form  hilnd  A  LTD,  where  A  and  H  are  given  closed  objects  of  appropriate 
type,  while  D  is  a  free  variable  which  will  be  computed  during  logic  programming 
search. 

It  is  important  to  realize,  however,  that  type-checking  the  signature  declaring 
hilnd  does  not  guarantee  the  validity  of  the  meta-theorem  we  were  trying  to  prove. 
For  this,  some  additional  conditions  have  to  be  satisfied:  mode  correctness  which 
expresses  that  the  logic  programming  interpretation  of  hilnd  respects  the  desired 
input/output  interpretation,  termination  which  guarantees  that  each  call  of  hilnd 
of  the  form  above  terminates,  and  coverage  which  guarantees  that  for  each  possible 
combination  of  input  values  a  case  in  the  definition  of  hilnd  will  be  applicable.  Some 
aspects  of  this  check  are  discussed  in  [Pfenning  and  Rohwedder  1992,  Rohwedder 
and  Pfenning  1996]. 

A  similar  idea  in  the  area  of  functional  programming  without  the  notion  of  higher- 
order  abstract  syntax  has  been  explored  in  the  ALF  system  [Magnusson  1995,  Mag- 
nusson  and  Nordstrom  1994,  Coquand  and  Smith  1993,  Coquand,  Nordstrdm, 
Smith  and  von  Sydow  1994]  and  the  Foetus  system  [Abel  1999].  The  empirical 
evidence  suggests  that  this  shortens  developments  considerably  and  allows  the  for¬ 
mulations  of  functions  in  a  manner  which  is  closer  to  functional  programming  prac¬ 
tice  [Coquand  1992,  Gaspes  and  Smith  1992,  Magnusson  1993].  In  these  systems, 
termination  and  coverage  has  also  been  externalized,  rather  than  forcing  adherence 
to  an  inflexible  schema  of  primitive  recursion. 
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5.2.  Translating  axiomatic  derivations  to  natural  deductions 

In  this  section  we  illustrate  the  relational  representation  of  proofs  by  relating  deriva¬ 
tions  in  the  axiomatic  system  to  natural  deductions.  As  a  first  step  we  prove  that 
every  axiomatic  deduction  may  be  transformed  into  a  natural  deduction. 

5.1.  Theorem.  If  P  A  then  ^  A. 

Proof.  The  proof  proceeds  by  a  simple  structural  induction  over  the  derivation 
TL  \\  H5  A.  In  each  case  we  exhibit  the  corresponding  natural  deduction.  Our 
representation  of  this  proof  introduces  a  new  judgment  relating,  for  any  formula 
A,  the  Hilbert  derivations  of  A  to  the  natural  deductions  of  A.  This  judgment  is 
represented  by  the  type  family 

hilnd  :  hi!  A  nd  A  ->  type 

where  we  have  left  a  quantifier  over  A  implicit  as  explained  in  Section  3.4. 
As  explained  in  the  preceding  section,  this  relation  implements  a  total  function 
nA:o.  hi!  A  — »  nd  A  which  is  not  directly  expressible  in  the  framework. 

Each  case  in  the  induction  argument  turns  into  a  declaration  of  a  corresponding 
higher- level  judgment. 

Case: 


P5  A  D  (B  D  A) 

In  this  case  we  have  to  supply  a  natural  deduction  of  A  D  (B  D  .4),  which  we 
have  already  seen  at  the  end  of  Section  3.4.  Recall  that  k  implements  the  axiom  K. 
hnd-k  :  hilnd  k  (impi  (Au:nd  A.  impi  (Av:nd  B.  u))). 

Case: 


n  =  - 


P  {Ad  (BD  C))  D  ((A  dB)d(Ad  O) 
A  natural  deduction  of  the  conclusion  is 


f  Ao{B  DC)  A  ^  Ad  B 
—  de  — 


■  w 


P  BdC 


f  B 


DE 


OE 


P  ADC 


■Dlu 


1*  {Ad  B)  D  {Ad  C) 


Dlv 


or 


I*  {A  D  (B  D  C ))  D  {{A  dB)d{Ad  C)) 

This  deduction  can  now  be  represented  in  LF  by  the  usual  method. 
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hnd-s  : 
hilnd  s 

(impi  ( Aii :  nd  (A  imp  B  imp  O. 
impi  ( Xv :  nd  (A  imp  B ) . 

impi  (Aw:nd  A.  impe  (impe  u  w )  (impe  v  w))))) . 


Case: 


H  =  - 


•N\ 


(Ad  -iB)  d  ({A  dB)d  (—i-A)) 

This  is  similar  to  the  previous  case. 

- u  - w  - V  - w 

\ *  Ad  ~^B  F  A  Ad  B  A 

-  de  - - - dE 


\B  ~>B 


B 


1 *P 
^  -ui* 


F*  (A  d  B)  d  -'A 


or 


(A  D  -iB)  D  ((A  D  B)D  ^A) 


or 


In  the  formalization,  the  propositional  parameter  p  appears  as  a  bound  variable, 
hnd.ni  : 
hilnd  nx 

(impi  (Au:nd  ( A  imp  not  B) . 

impi  (Aiund  (A  imp  B) . 

noti  (Ap:o.  Attund  A.  note  (impe  u  w)  p  (impe  v  w))))) . 
The  remaining  axioms  are  easy  to  prove,  and  we  only  show  their  encodings 
hnd_n2  : 

hilnd  n2  (impi  (Au:nd  (not  A).  impi  (Xv:nd  A.  note  u  B  v))) . 
hnd_fi  : 

hilnd  (fi  D  (impi  (Au:nd  (forai!  (Ax:i.  A  x)).  foralle  u  T)) . 
hnd_f2  : 
hilnd  f2 

(impi  (Aw:nd  (forall  (Ax:i.  B  imp  Ax)), 

impi  (Atund  B.  foralli  (Aa:i.  impe  (foralle  u  a)  v)))) , 


Case: 


Hi  n2 

\*  AdB  f*  a 


F*  B 


MP 
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By  induction  hypothesis  on  Hi  and  H2  there  exist  natural  deductions  V\  ::  AdB 
and  P 2  ::  ^  A ,  respectively.  Using  the  rule  of  implication  elimination  PE,  we  obtain 


Pi  P2 

vl  D  £  ^  ^4 

P  = - DE 

f*  P 

In  the  representation  we  emphasize  the  operational  reading  of  the  implementation 
by  using  the  arrow  that  points  to  the  left.  It  associates  to  the  left,  and  therefore 
A$  «-  A2  <r-  Ai  is  equivalent  to  A\  — »  A2  — ) >  A$. 
hnd.mp  :  hilnd  (mp  H\  H2)  (impe  D\  D2) 

«-  hilnd  H\  D\ 

4-  hilnd  H2  D2. 

Note  that  hilnd  Hi  Pi  will  be  the  first  subgoal  to  be  solved,  and  hilnd  H2  D2  the 
second,  according  to  the  operational  semantics  sketched  in  Section  4.4. 

Case: 


Hi 

H*  \a/x]A 

H  = - UGa 

H*  Vx.  A 

This  case  corresponds  directly  to  universal  introduction  (VI)  in  natural  deduction. 
By  induction  hypothesis  on  Hi  there  exists  a  natural  deduction  V 1  ::  ^  [a/x]A. 
Since  the  deduction  V 1  is  not  hypothetical,  the  side  condition  on  UG  that  a  not 
appear  in  A  is  sufficient  to  guarantee  the  corresponding  side  condition  on  VI  and 
we  can  form 

Pi 

I*  [a/x]A 

V  - VP 

f*  Vx.,4 

In  the  representation,  H\  is  a  function  from  a  to  a  deduction  of  \a/x\A.  Thus  the 
higher-level  judgment  relating  Hi  to  P 1  is  parametric  in  a.  Parametric  judgments 
are  represented  by  functions  as  usual,  so  a  dependent  function  type  will  appear  in 
the  premise. 

hnd.ug  :  hilnd  (ug  Hi)  (foralli  Pi)  (Ila:  i .  hilnd  (Hi  a)  (Pi  a)). 
Operationally  in  Elf,  solving  the  subgoal  introduces  a  new  parameter  a  and  sub¬ 
stitutes  it  for  the  variable  bound  in  H\.  The  resulting  deduction  is  translated  to 
a  natural  deduction  that  may  contain  a.  Matching  this  against  the  pattern  (Pi  a) 
creates  the  correct  functional  representation  of  the  judgment  that  is  hypothetical 
in  a,  and  which  is  the  premise  of  VI  and  thus  the  argument  to  foralli.  □ 

The  proof  above  describes  a  method  for  translating  axiomatic  derivations  to 
natural  deductions.  Under  the  Curry-Howard  isomorphism  [Howard  1980],  this  cor- 
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responds  to  a  translation  from  typed  combinators  (based  on  S  and  K  and  others) 
to  typed  A-terms.  As  a  sample  execution  of  this  program,  consider  the  query 
hilnd  (mp  (mp  s  k)  k)  D 

where  D  is  a  free  variable  of  type  nd  (A  imp  A).  This  will  compute  the  following 
instantiation  for  D,  which  is  an  indirect  way  of  deriving  A  D  A. 

impe 

(impe 

(impi 

(Au:nd  ( A  imp  (B  imp  A)  imp  A). 
impi 

(Xv:nd  ( A  imp  B  imp  A). 

impi  (Aunnd  A .  impe  (impe  u  w) 

(impe  v  w))))) 

(impi  (Ait:nd  A.  impi  (Amnd  ( B  imp  A),  u )))) 

(impi  (Au:nd  A.  impi  (Av:nd  B.  u))) . 


5.3.  The  deduction  theorem 

One  crucial  step  in  proving  the  other  direction  (natural  deductions  can  be  translated 
to  axiomatic  derivations)  is  the  deduction  theorem.  In  its  simplest  form  it  concerns 
a  hypothetical  derivation:  if  we  can  prove  B  assuming  A  (written  as  A  H5  £),  then 
we  can  derive  A  D  B.  This  is  not  quite  enough  for  our  application,  since  during 
a  natural  deduction  many  hypotheses  may  arise.  So  we  let  A  range  over  collections 
of  hypotheses  A\, . . . ,  An  and  write  A  H*  B.  An  implementation  of  a  proof  of  the 
deduction  theorem  using  FSo  is  described  in  [Basin  and  Matthews  1996]  and  may 
be  compared  to  the  relational  implementation  below. 


5.2.  Theorem  (Deduction  Theorem).  If  A,  A  )r  B  then  A  f -  AD  B. 

Proof.  The  proof  proceeds  by  induction  on  the  structure  of  the  derivation  7i  :: 
A ,  A  \ r  B.  In  the  implementation  of  the  proof  the  extraneous  hypotheses  A  will 
be  represented  by  hypotheses  in  LF  and  can  therefore  be  left  implicit  in  the  main 
judgment.  Thus  the  proof  is  implemented  as  a  higher-level  judgment,  relating  the 
representation  of  the  hypothetical  derivation  of  A  f4  B  to  the  derivation  of  k5 
Ad  B.  Recall  that  a  hypothetical  derivation  is  represented  as  an  LF  function  from 
derivations  of  the  hypothesis  to  derivations  of  the  conclusion.  Thus  we  arrive  at  the 
type  family 

ded  :  (hil  A  hil  B )  — »  hil  ( A  imp  B)  — »  type 
where  A  and  B  are  implicitly  quantified. 


Case:  H  =  A,  A  H*  A,  that  is,  TL  consists  of  a  use  of  the  hypothesis  A.  Then  we  need 
to  show  that  A  'r  A  D  A.  This  follows  by  two  applications  of  Modus  Ponens  from 
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(S)  and  ( K ).  Written  in  linear  form  instead  of  the  more  awkward  tree  we  have 


1 

(A  D  ((B  DA)D  A))  D  ((j4  D  (B  D  A))  D  (A  D  >1)) 

s 

2 

(Ad((BdA)dA)) 

K 

3 

(Ad  (Bd  A))  D  (Ad  A) 

MP  12 

4 

Ad(Bd  A) 

K 

5 

Ad  A 

MP  3  4 

As  an  LF  term,  this  is  represented  succinctly  by  mp  (mp  s  k)  k,  a  term  already 
familiar  from  the  sample  query  at  the  end  of  the  previous  section.  The  LF  func¬ 
tion  Xu:h\\  A .  u  represents  the  immediate  use  of  the  hypothesis  H*  A,  labelled 
internally  by  u.  Thus  we  have 

ded_id  :  ded  (Au:hil  A.  u)  (mp  (mp  s  k)  k) . 

Case:  7i  =  A,  A  H3  An  where  A*  occurs  in  A.  In  this  case  we  have  to  give  a 
derivation  of  A  H3  A  3  A*.  But  this  follows  from  an  application  of  Modus  Ponens 
and  K. 

1  A  \*AiD(ADAi)  K 

2  *  A  H3  Aj  (hyp) 

3  A  H*  A  3  Ax  MP  1  2 

There  is  no  corresponding  case  in  the  implementation  of  the  type  family  ded.  In¬ 
stead,  we  need  to  make  the  assumption  that  the  deduction  theorem  applied  to  a 
new  hypothesis  labelled  w  yields  mp  k  u;  wherever  w  is  introduced.  This  technique 
will  be  illustrated  in  the  next  section. 

Case : 


H  = - K 

A,  AH1  Bi  D(B2  DBx) 

Then  we  proceed  as  follows: 

1  A  \*(BXD  (B2  3  B^)  3  (A  3  (Bi  3  (B2  3  Bx)))  K 

2  A  \*BxD(B2DBi)  K 

3  A  f4  A  3  (Bi  3  (B2  3  Bi))  MP  12 

ded_k  :  ded  (Aw: hil  A.  k)  (mp  k  k) . 

Cases:  All  remaining  axioms  (5,  Ah,  N2,  Fi,  F2)  are  handled  as  in  the  previous 
case.  We  only  show  their  implementations. 

ded_ni  :  ded  (Aw: hi!  A.  rq)  (mp  k  rq). 

ded_n2  :  ded  (Aw : hil  A.  n2)  (mp  k  n2)  . 

ded_fi  :  ded  (Aw: hil  A.  fx  T)  (mp  k  (f2  D) . 

ded_f2  :  ded  (Aw: hil  A.  f2)  (mp  k  f2). 
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Case: 


H  = 


Hi 

A,  A  H  Bi  D  B2 

A ,AHJ32 


h2 

A,  A  H  Bi 
- MP 


1  A  H  A  D  (Bl  D  B2) 

2  {Ad{B1dB2))d((AdB1)d(AdB2)) 

3  A  ^  (AdB!)d{AdB2) 

4  A  H  A  D  Bi 

5  A  H  A  D  B2 


Ind.  hyp.  on  Hi 
S 

MP  2  1 
Ind.  hyp.  on  H2 
MP  3  4 


Appeals  to  induction  hypotheses  are  implemented  in  the  premises  of  the  higher 
level  judgment,  generating  H[  and  H'2,  respectively.  Note  how  the  premises  Hi  and 
H2  of  H  are  once  again  hypothetical,  that  is,  they  may  depend  on  the  assumption 
A.  This  is  implemented  as  (Hi  it)  and  (H2  u )  in  the  declaration  below, 
ded.mp  : 

ded  (Au:hil  A.  mp  (Hi  u )  (H2  «))  (mp  (mp  s  H\)  H2) 

*-  ded  Hi  Hi ' 
ded  H2  H2'. 


Case: 


Hi 

A, AH  [a/x\Bi 

H  = - UGa 

A,  A  A  Vx.  Bi 

1  A  H  A  D  [a/x].Bi  Ind.  hyp.  on  Hi 

2  A  H  Vx.  (A  D  Bi)  UGa  1 

3  A  H  (Vx.  (A  D  Bi))  D  (Ad  Vx.  Bi)  F2 

4  A  H  A  D  Vx.  Bi  MP  3  2 

The  side  conditions  on  UGa  and  F2  are  satisfied  by  virtue  of  the  proviso  that  a  not 
occur  in  A,  A,  or  Vx.  B i,  that  is,  that  Hi  be  parametric  in  a.  In  the  implementation 
we  simply  create  a  new  parameter  a. 
ded.ug  : 

ded  (Au:hil  A.  ug  (Hi  u))  (mp  f2  (ug  Hi')) 

<r-  (IIa:i.  ded  (Au:hil  A.  Hi  u  a)  (Hi  a)). 


□ 

The  declarations  for  the  higher-level  judgment  ded  can  be  executed  as  a  logic 
program,  thus  capturing  the  computational  contents  of  the  deduction  theorem.  This 
corresponds  to  the  algorithm  for  bracket  abstraction  in  combinatory  logic  [Curry 
and  Feys  1958]. 
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5.4 *  Translating  natural  deductions  to  axiomatic  derivations 

Obtaining  a  translation  from  natural  deductions  to  axiomatic  derivations  is  now 
straightforward.  Note  that  we  must  allow  for  hypotheses,  since  the  Dl  rule  intro¬ 
duces  them  (if  viewed  from  the  bottom  up). 

5.3.  Theorem.  If  A  A  follows  from  hypotheses  P  A\ , . . .,  P  An,  then  there  exists 
a  hypothetical  axiomatic  derivation  of  A\, . . . ,  An  A  A. 

Proof.  By  induction  on  V  ::  A'  A.  We  abbreviate  A\, . . An  by  A.  In  the  imple¬ 
mentation  we  deal  with  each  hypothesis  as  it  is  introduced,  rather  than  globally. 
Thus  the  type  family  that  implements  the  meta-proof  just  relates  a  natural  deduc¬ 
tion  to  a  Hilbert  derivation. 

ndhil  :  Il,4:o.  nd  A  -4  hil  A  -4  type. 

Case: 


T>  = - Hi 

P  Ai 

This  constitutes  application  of  an  hypothesis.  Then  Ti  is  a  one-step  derivation 
using  the  corresponding  the  hypothesis.  It  is  implemented  wherever  hypotheses  are 
introduced,  which  are  the  cases  for  Dl  and  -T 

Case: 


- u 

^  Ax 

2>i 

P  A2 

V  = - DP 

^  Ai  D  A2 

By  induction  hypothesis  on  V\,  there  exists  a  derivation  Ti\  of  A,  A\  A  A2.  Hence, 
by  the  deduction  theorem,  there  exists  a  derivation  'H,l  of  A  A  A\  D  A2,  which  is 
what  we  needed  to  show.  The  implementation  combines  this  and  the  previous  case 
by  introducing  hypotheses  u\nd  Ax  and  v:h\\  Ax  and  assuming  that  the  translation 
of  u  should  be  v.  Since  this  rule  introduces  a  new  hypothesis  A  A\,  we  must  also 
indicate  how  the  deduction  theorem  behaves  on  the  new  assumption.  This  may  be 
gleaned  from  the  second  case  in  the  proof  of  the  deduction  theorem. 
ndhJmpi  : 

ndhil  (impi  D\ )  H\ 

<-  (nu:nd  A\.  IIv: hil  A\. 

dlCro.  ded  (Alt;: hil  C.  v )  (mp  k  v)) 

-4  ndhil  u  v 

-4  ndhil  (Di  u)  ( Hx  v )) 

<-  ded  Hi  Hxf. 
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Case: 


Vx 

F  Vx.  Ax 

T>  = - VE 

P  [t/x]Ai 

By  induction  hypothesis  on  T>x  there  exists  a  derivation  Hx  of  A  H*  Vx.  Ax.  By 
modus  ponens  from  an  instance  of  axiom  schema  Fx  and  Hi  we  can  then  construct 
a  derivation  H  of  A  H*  [t/x\Ax. 

ndh.foralte  :  ndhil  (foralle  Dx  T)  (mp  (f:  T)  Hx)  «-  ndhil  Dx  Hx. 

Cases:  We  omit  the  remaining  cases  which  are  similar  to  the  two  given  above.  It  is 
an  instructive  exercise  to  reconstruct  the  informal  argument  from  the  implementa¬ 
tion  given  below. 

ndh_impe  :  ndhil  (impe  Dx  D2)  (mp  Hx  H2) 

«-  ndhil  Dx  Hx 
4-  ndhil  D2  H2 . 

ndh_noti  : 

ndhil  (noti  Dx)  (mp  (mp  ni  Hi)  Hx") 

4-  (IIp:o.  Iltirnd  Ax.  Ilurhil  Ax. 

(IIC:o.  ded  (Aw:hil  C.  v)  (mp  k  tO) 

— >  ndhil  u  v 

— »  ndhil  ( Dx  p  u)  (Hx  p  v)) 

<-  ded  (Hx  (not  A))  Hx' 

4-  ded  ( Hx  A)  Hx". 

ndh.note  :  ndhil  (note  Dx  C  D2 )  (mp  (mp  n2  Hx)  H2 ) 
ndhil  Dx  Hx 
4 —  ndhil  D2  H2 . 

ndhjforalli  :  ndhil  (foralli  Dx )  (ug  Hx) 

4 —  (Ila:  i .  ndhil  ( Dx  a)  ( Hx  a)). 

□ 

In  summary,  we  can  represent  some  aspects  of  constructive  meta-theoretic  proofs 
as  higher-level  judgments  in  LF.  These  higher-level  judgments  can  be  executed  in 
Elf  with  the  operational  semantics  from  Section  4.4  to  translate  derivations  between 
deductive  systems.  While  the  result  of  each  individual  computation  of  this  form  is 
guaranteed  to  be  correct,  the  higher-level  judgment  is  only  partially  verified  since 
termination  and  coverage  of  all  possible  cases  are  properties  outside  the  scope  of 
the  type-checker. 


6.  Appendix:  the  simply-typed  A-calculus 

For  the  representation  of  the  abstract  syntax  of  a  language,  the  simply-typed  A- 
calculus  (A"*)  is  usually  adequate.  When  we  tackle  the  task  of  representing  inference 
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rules,  we  will  have  to  refine  the  type  system  by  adding  dependent  types.  The  reader 
should  bear  in  mind  that  A"*  should  not  be  considered  as  a  functional  programming 
language,  but  as  a  representation  language.  In  particular,  the  absence  of  recursion 
will  be  crucial  in  order  to  guarantee  adequacy  of  representations.  Our  formulation  of 
the  simply- typed  A-calculus  has  two  levels:  the  level  of  types  and  the  level  of  objects , 
where  types  classify  objects.  Furthermore,  we  have  signatures  which  declare  type 
and  object  constants,  and  contexts  which  assign  types  to  variables.  The  presentation 
is  in  the  style  of  Church:  Every  valid  object  has  a  unique  type.  This  requires  that 
types  appear  in  the  syntax  of  objects  to  resolve  the  inherent  ambiguity  of  certain 
functions  such  as  the  identity  function.  We  let  a  range  over  type  constants,  c  over 
object  constants,  x  over  variables. 

Types  A  a\A\-+  A2 

Objects  M  c\x\  A  x:A.  M  \M\  M2 

Signatures  E  ::=  •  |  E,a:type  |  E ,c:A 

Contexts  F  ::=  *|r,x:>l 

We  make  the  general  restriction  that  constants  and  variables  can  occur  at  most 
once  in  a  signature  or  context,  respectively.  We  use  A  and  B  to  range  over  types,  and 
M  and  N  to  range  over  objects.  We  refer  to  type  constants  a  as  atomic  types  and 
types  of  the  form  A  — >  B  as  function  types.  We  also  consider  terms  that  differ  only 
in  the  names  of  their  bound  variables  as  identical  and  use  the  variable  convention 
as  for  first-order  logic  in  Section  2. 

The  judgments  defining  A“*  are 

bE  A  :  type  A  is  a  valid  type 

T  bE  M  :  A  M  is  a  valid  object  of  type  A  in  context  F 

hE  T  Ctx  T  is  a  valid  context 

F  E  Sig  E  is  a  valid  signature 

Note  that  the  first  three  of  these  judgments  depend  on  a  signature  E  which  we 
presuppose  to  be  valid.  Similarly,  we  assume  that  F  is  always  valid  in  the  judgment 
T  bE  M  :  A.  The  judgments  are  defined  via  the  following  inference  rules. 

Valid  objects 

c:A  in  E  x:A  in  F 

- con  - var 

ri^c:^  rh^x:^ 

hE  A  :  type  T,  x:A  bE  M  :  B 

- lam 

T  bE  \x:A.  M  :  A  B 

F  \-x  M  :  A  B  FhN:  A 

- app 

r  hE  M  N  :  B 
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Valid  types 

a:  type  in  E  b3 z  A:  type  ^  B  :  type 

- con  - -  arrow 

bE  a  :  type  bE  A  B  :  type 


Valid  signatures 


b  E  Sip 

- sigemp  - sigtyp 

b  •  Sig  b  E,  a:type  Sig 

b  E  Sig  bs  A  :  type 

- sigobj 

b  E,  c:A  Sig 


Valid  contexts 


- ctxemp 

h:  •  Ctx 


bs  T  Ctx  bE  A  :  type 

- ctxobj 

bE  T,  x:A  Ctx 


The  rules  for  valid  objects  are  somewhat  non-standard  in  that  they  contain  no 
check  whether  the  signature  E  or  the  context  T  are  valid,  which  we  presuppose. 
Furthermore,  the  rules  guarantee  that  if  we  have  a  derivation  V  of  F  bs  M  :  A  and 
F  is  valid,  then  every  context  appearing  in  V  is  also  valid.  This  is  because  the  type 
A  in  the  lam  rule  is  checked  for  validity  as  it  is  added  to  the  context. 

Our  formulation  of  the  simply-typed  A-calculus  above  is  parameterized  by  a  sig¬ 
nature  in  which  new  constants  can  be  declared;  only  variables,  A-abstraction,  and 
application  are  built  into  the  language  itself.  The  analogue  of  observable  values  in 
functional  programming  languages  is  the  notion  of  canonical  form ,  since  they  are 
in  one-one  correspondence  with  the  data  we  are  trying  to  represent.  Unlike  in  func¬ 
tional  languages,  every  well-typed  object  will  have  an  equivalent  canonical  form 
which  can  be  calculated  with  a  simple  algorithm.  For  the  definition  of  canonical 
forms  as  a  deductive  system  we  need  two  mutually  recursive  judgments:  canonical 
and  atomic  forms.  For  the  sake  of  brevity,  we  elide  the  fixed  signature  E  from  this 
judgment. 


T  b  M  fb  A  object  M  is  canonical  of  type  A 

T  b  M  |  A  object  M  is  atomic  of  type  A 

An  atomic  form  is  a  variable  or  constant  applied  to  some  number  of  arguments, 
each  of  which  is  in  canonical  form.  A  canonical  form  of  functional  type  must  be 
a  A-abstraction;  a  canonical  form  of  atomic  type  a  must  itself  be  atomic.  This  is 
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captured  with  the  following  inference  rules. 


T,x:A  h  M  ft  B 

- arrow 

TF  Ax:AMft 


T  \-  M  la 

- coerce 

r  h  M  ft  a 


x:A  in  F 
- var 


TFxlA 


c:A  in  £ 
- con 


r  h  c  i  a 


r  h  M  l  B  ->  A  r  h  AT  ft  B 
ThMNIA 


app 


The  algorithm  for  conversion  to  canonical  and  atomic  forms  introduces  A- 
abstractions  if  the  object  is  of  functional  type,  essentially  applying  77-expansion. 
At  base  type  we  check  if  the  object  has  the  form  of  a  variable  or  constant  applied 
to  some  arguments.  If  so,  we  convert  the  arguments  to  canonical  form.  If  not,  we 
repeatedly  apply  weak  head  reduction  until  the  other  case  applies.  This  method 
of  definition  of  a  typed  A-calculus  corresponds  to  an  operational  semantics  for  a 
functional  language  and  is  very  much  in  the  spirit  of  the  method  of  algorithmic 
definition  for  type  theories  [de  Bruijn  1993].  Related  systems  have  been  described 
in  [Felty  and  Miller  1990,  Coquand  1991].  The  algorithm  is  given  as  a  deductive 
system  consisting  of  three  judgments  which  may  be  interpreted  as  a  logic  program. 


M  2*5  Mf 
r  b  M  ft  M'  :  A 
F  h  M  l  M'  :  A 


M  weak  head  reduces  to  A/' 

M  converts  to  canonical  form  Mf  at  type  A 
M  converts  to  atomic  form  M '  at  type  A 


First,  the  rules  for  weak  head  reduction.  We  write  [N/x]M  for  the  result  of  substi¬ 
tuting  N  for  x  in  M,  possibly  renaming  bound  variables  to  avoid  variable  capture. 


- whr.beta 

(Xx:A.  M)N  ^  [N/x)M 


MN^M'N 


whr_app 


The  rules  for  conversion  to  canonical  and  atomic  form  mutually  depend  on  each 
other.  Note  how  the  rules  for  canonical  form  are  type-directed,  while  the  rules  for 


Logical  frameworks 


61 


atomic  form  are  object-directed. 

T,x-.Ab  Mx^M'  :B 

- arrow 

r  h  M  ft  (A  x:A.  M')  :  A— >  B 

r  h  M'  -fr  M"  :  a 

- whr 

T  h  M  t  M"  :  a 

r  h  M  i  M' :  a  x:A  in  r  c:A  in  E 

- coerce  - - var  - — —  con 

r  b  M  j|  Mf  :  a  T  b  x  x  :  A  T  \-  c  c  :  A 

r  b  M  |M'  :A^B  r  b  Nit  Nf  :  A 

- app 

r  b  M  N  i  Mf  N*  :  B 

The  following  properties  of  the  simply-typed  A-calculus  follow  easily  from  known 
results  for  more  conventional  representations.  The  last  is  the  most  difficult  and  can 
be  established  rather  elegantly  using  logical  relations  [Pfenning  2001]. 

6.1.  Theorem  (Properties  of  A”*). 

1.  IfTh  Mi\  A  then  T  M  \  A. 

2.  7/T  b  M  l  A  then  T  b  M  :  A. 

3.  7/T  b  M  fr  M*  :  A  then  TbM'fA 

l  7/T  b  M  |  Af'  :  A  then  T  b  M'  |  A. 

5.  IfT  b  M  :  A  then  there  exists  a  unique  N  such  that  T  b  M  ft  N  :  A. 

Two  objects  M  and  Mf  are  definitionally  equal  at  type  A  (written  as  T  b  M  = 
Mf  :  A)  if  they  have  the  same  canonical  form  at  type  A.  This  coincides  with  a 
notion  of  definitional  equality  based  on  f3-  and  ^-conversions.  In  particular,  (3-  and 
rj- conversion  are  admissible  rules  of  inference  to  determine  definitional  equality  of 
objects.  We  may  omit  the  context,  signature,  and  type  and  just  write  M  =  M'. 
Systems  are  often  defined  based  on  a  notion  of  conversion,  in  which  case  the  system 
above  could  be  considered  as  specifying  an  algorithm  for  deciding  equality.  The 
next  section  provides  an  example  of  this  kind. 


7.  Appendix:  the  dependently  typed  A-calculus 

The  typing  rules  for  LF  can  be  found  under  the  name  A P  in  Chapter  XXII,  except 
that  the  rule  of  type  conversion  for  LF  is  based  on  /fry- conversion  rather  than  just  fi- 
conversion.  Because  /^-conversion  is  not  confluent  on  ill-typed  terms,  the  standard 
approach  to  proving  theoretical  properties  does  not  work  in  the  context  of  LF,  even 
though  it  may  be  adapted  with  some  effort  [Geuvers  1992,  Ghani  1997,  Goguen 
1999]. 
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We  prefer  a  formulation  with  typed  equality  judgments  in  the  style  of  Martin- 
Lof  [Harper  1988]  as  presented  in  a  slightly  richer  framework  [Coquand  1991].  We 
call  the  resulting  type  theory  An.  First  we  define  its  basic  judgments,  which  in¬ 
clude  typing  and  definitional  equality.  Coquand  [1991]  proves  the  the  correctness  of 
an  untyped  algorithm  for  conversion  which  demonstrates  decidability  of  the  judg¬ 
ments  defining  LF.  From  this  one  can  conclude  easily  that  canonical  (that  is,  long 
&r)- normal)  forms  exist  and  are  unique,  which  is  critical  for  the  adequacy  theo¬ 
rems  throughout  this  chapter.  An  alternative  proof  using  an  erasure  interpretation 
for  dependencies  is  given  by  Harper  and  Pfenning  [2000].  We  give  an  inductive 
definition  of  canonical  forms  which  can  be  used  directly  in  adequacy  proofs  to  es¬ 
tablish  a  compositional  bijections  between  canonical  objects  of  An  and  expressions 
or  deductions  in  an  object  logic.  This  part  is  analogous  to  the  development  for 
the  simply-typed  A-calculus  in  the  preceding  section.  We  also  have  eliminated  the 
non-dependent  function  type  A  — >  B  since  we  can  think  of  it  as  an  abbreviation  for 
n:r:A  B  where  x  does  not  occur  in  B. 

An  is  predicative  calculus  with  three  levels:  kinds,  families,  and  objects.  We  also 
define  signatures  and  contexts  as  they  are  needed  for  the  judgments. 


Kinds 

K 

::=  type  |  Tlx:A.  K 

Families 

A 

::=  a  |  A  M  |  Tlx-.Ai.  A2 

Objects 

M 

::=  c\x\  A  x:A.  M  |  Mi  M2 

Signatures 

E 

::=  \T.,a:K  \H,c:A 

Contexts 

r 

Besides  the  typed  notion  of  equality,  this  language  differs  from  the  one  given  by 
Harper  et  al.  [1993]  in  that  we  do  not  allow  families  to  be  formed  by  explicit  ab¬ 
straction.  Since  such  families  never  occur  in  canonical  forms,  this  does  not  lead  to 
any  loss  in  expressive  power.  Unlike  in  A we  can  no  longer  introduce  typing  inde¬ 
pendently  of  definitional  equality,  because  of  the  rule  of  type  conversion  motivated 
in  Section  3.4. 


r  M  :  A 
T  h  M  =  M':  A 
T  hs  A  :  K 
r  h :  A  =  A'  :  K 
F  hi  K  :  kind 
T^K^K':  kind 
\-  E  Sig 
r  ctx 


M  has  type  A 

M  is  definitionally  equal  to  M'  at  type  A 
A  has  kind  K 

A  is  definitionally  equal  to  A!  at  kind  K 
K  is  a  valid  kind 
K  is  definitionally  equal  to  Kf 
E  is  a  valid  signature 
T  is  a  valid  context 


These  judgment  are  defined  by  the  rules  given  below.  For  the  typing  and  equality 
judgments  we  presuppose  that  the  signature  E  and  the  context  T  are  valid,  so  we 
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do  not  check  this  in  the  rules  for  variables  and  constants.  Furthermore,  we  do  not 
have  an  explicit  rule  for  77- conversion,  since  it,  together  with  a  congruence  rule  for 
A-abstraction,  is  equivalent  to  the  extensionality  rule  eqJam  for  functional  equality. 


Valid  objects 


T^A:  type  T,  x:A  h c  M  :  B 

- lam 

r  He  \x:A.  M  :  Ux:A.  B 

T  A  :  type  T,  x:A  h E  M  x  ~  Mf  x  :  B 

- eqJam 

F^M  ^Mf  :Ux:A.B 

c:A  in  E  x:A  in  T 

- con  - var 

F  c  :  ^4  F  2  :  ^4 

r  hb  M  :  Ux:A.  B  F  hs  N  :  A 
- app 

F^MN:  [N/x)B 

r  M  =  M*  :  Ux.A.B  F  N  =  N'  :  A 
— - - eq_app 

Fhs  MN  =  M'Nf  :  [N/x]B 

r,  x:A  \~x  M  :  B  F  bE  N  :  A 

- beta 

T  (Ax:  A.  M)N  =  [N/x\M  :  [N/x)B 


Valid  types 


F  hE  A  :  type  T,  x:A  B  :  type 

- pi 

T  hs  II x:A.  B  :  type 

r  l-E  A  =  Af  :  type  T,  x:A  hE  B  s  B'  :  type 

- eq_pi 

F  fs  IIa::-A.  B  =  ILe:j4\  Bf  :  type 

a:K  in  E 
- con 

r  a  :  K 

F  hzA:  Flx:B .  K  Fh>M:B 

- app 

r  A  M  :  [M/x]lf 

FhA~A':  Ux:B.  K  F  M  =  M' :  B 

rh zAM  =  A'M':[M/x}K 


eq.app 
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Valid  kinds 

- type 

r  hfc  type  :  kind 

T  bE  A  :  type  T,  x:A  bE  K  :  kind 
r  Ux:A.  K  :  kind  P' 

r  hs  A  s  A'  :  type  I\  *:yl  =  K'  :  kind 

- - - eq.pi 

r  hE  ILr: A  =  ILr:A. /C :  kind 


Equality  rules .  We  present  the  equality  rules  for  all  three  levels  in  abbreviated 
form,  where  Uy  V,  and  W  range  over  objects,  types,  kinds,  or  the  symbol  kind  as 
appropriate  for  the  equality  judgments  shown  above. 


ThzU:V 
- refl 

r  bE  U  =  U  :  V 


ThU1  =  U2:V 

- sym 

rbt/2  =  [/i:v 


r  bE  t/i  =  U2  :  V  r^U2  =  U3:V 

- trans 

r  bE  u I  =  u3 :  v 


r  u :  v  r  v  =  v* :  w 

- conv 

r  hs  [/  :  V' 


r  bE  Ux  =  £/2  :  V  r  bE  V  =  V9  :  w 

- eq_conv 

r  bs  C/i  ==  C/2  :  V' 


Va/id  signatures 


b  ■  Sfy 


•  sigemp 


1-  E  iSz# 


bE  a:  :  kind 


b  E  -Szp 


b  E,  a:K  Sig 
bE  >1  :  type 


•  sigfam 


b  E,  c:A  Sig 


•  sigobj 


Valid  contexts 

bE  T  Ctx  r  A  :  type 

- ctxemp  - ctxobj 

bE  ■  Ctx  bE  T,  x:^4  Ctx 

We  can  obtain  the  decidability  of  the  judgments  constituting  this  formulation 
of  LF  via  a  sequence  of  lemmas  culminating  in  an  argument  via  Kripke- logical 
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relations  and  an  untyped  algorithm  for  testing  equality  as  given  by  Coquand  [1991]. 
The  version  of  this  theorem  for  ^-conversion  only  (where  the  eqJam  rule  is  replaced 
by  a  congruence  rule  for  A- abstraction)  is  due  to  Harper  et  al.  [1993]. 

7.1.  Theorem  (Properties  of  LF). 

1.  IfY\,x\A,y\B,T2  M  :  C  and  Ti  hE  B  :  type  then  Ti,y:B,x:A)T2  h :  M  :  C. 

2.  If  T  M  :  C  and  T  A  :  type  then  F,  x\A  M  :  C. 

3.  IfTux:A,T2  h  M  :  C  and  Tx  N  :  A 
then  Tu  [N/x]T2  h  [ N/x]M  :  [N/x]C. 

4 .  All  judgments  defining  the  An  type  theory  are  decidable . 

We  single  out  the  properties  of  exchange,  weakening,  and  substitution,  since 
they  are  at  the  core  of  the  judgments-as-types  representation  technique.  Note  that 
contraction  is  a  simple  consequence  of  substitution  in  our  formulation.  Paramet¬ 
ric  and  hypothetical  judgments  can  be  implemented  as  functions  in  An  because 
these  properties  match  the  properties  of  hypotheses.  Logics  such  as  linear  logic  in 
which  assumptions  do  not  satisfy  these  properties  must  be  represented  with  differ¬ 
ent  techniques.  This  has  led,  for  example,  to  the  development  of  the  linear  logical 
framework  [Cervesato  and  Pfenning  1996]  which  provides  more  control  over  prop¬ 
erties  of  assumptions. 

We  continue  by  presenting  the  notions  of  canonical  and  atomic  form  as  a  judg¬ 
ment,  generalizing  the  analogous  judgments  from  the  simply- typed  A-calculus  in 
Section  6. 


ThMt  A 

r  bE  m  i  a 
r  h t  a  UK 

Thz  AIK 


M  is  canonical  of  type  A 
M  is  atomic  of  type  A 
A  is  canonical  of  kind  K 
A  is  atomic  of  kind  K 


These  judgments  are  defined  via  the  following  inference  rules.  We  use  P  for  a 
base  type ,  that  is,  one  which  has  the  form  a  Mi . .  ,Mn  rather  than  II:r:A  B. 


Canonical  objects 

T  hfc  A  type  T,  x:A  M  ft  B  T\~t  A  =  A(  :  type 
T  A x:A.  M  fr  Ux:Af.  B 

rhsM|P  rbsP  =  P':type  . 
- coerce 


P» 


r  bE  m  fr  p' 
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Atomic  objects 

c:A  in  E  x:A  in  F 

- con  - var 

rb^c^yi  r  b^  x  4,  yi 

FbEM|  Ux:A .  B  T  h£  N  ft  A 

- atmapp 

TY-^MN  i[N/x}B 

Canonical  types 

r  b-E  A  ft  type  T,  x:A  bE  B  ft  type 

- pi 

T  b“E  II x:A.  B  ft  type 

r  h;  P  i  type 

- coerce 

r  h:  p  •ft'  type 

Atomic  types 

a:K  in  E 
- con 

r  hE  a  J,  K 

TY^Al  n  x:B.  K  T  h  M  ft  B 

- app 

r  bE  A  M  i  [M/x}K 

It  is  easy  to  see  that  canonical  forms  are  well- typed. 

7.2.  Theorem  (Properties  of  canonical  forms). 

1.  7/r  b-E  M  ft  A  then  T  hE  M  :  A. 

2.  IfThzM  ±A  then  V  bE  M  :  A. 

3 .  7/r  hAtK  then  Th^AiK. 

I  IfThAiK  thenT\*A:K. 

Proof.  By  straightforward  induction  on  the  structure  of  the  canonical  and  atomic 
forms.  □ 

Finally  we  come  to  algorithms  for  conversion  to  canonical  form.  They  are  designed 
so  that  two  terms  are  definitionally  equal  if  they  have  the  same  canonical  form. 

M  Ml  M  weak  head  reduces  to  M' 

r  M  f  Mf  :  A  M  has  canonical  form  M'  at  type  A 

T  hE  M  |  M'  :  A!  M  has  atomic  form  Mf  at  type  A! 

T  \-£  Ajt  Af  :  K  A  has  canonical  form  yl'  at  kind  K 

f  hfc  A  i  A  :  Kr  A  has  atomic  form  A'  at  kind  Kf 
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To  read  these  judgments  as  algorithms  we  apply  the  logic  programming  interpre¬ 
tation  of  these  rules  for  the  bottom-up  construction  of  a  derivation.  In  weak  head 
reduction  we  assume  that  M  is  given  and  M'  is  constructed.  In  the  judgments  for 
conversion  to  canonical  form  we  assume  that  E,  I\  Af,  A,  and  K  are  given  while 
we  construct  Mr  and  A! .  In  the  judgments  for  atomic  forms  we  assume  E,  T,  M, 
and  A  to  be  given  and  construct  M Af  and  K\ 

Weak  head  reduction 


- whr.beta 

(Xx:A.  M)N  ^  [N/x)M 

M^M' 

- whr.app 

MN^M'N 


Conversion  to  canonical  objects 

T  A  ft  A!  :  type  T,  x:Af  h ^  M  £  ft  M'  :  f? 

- pi 

FhEMft  Xx.A'.M'  :Ux: A.  B 

r  M  i  M1 '  :  P  r  P  =  Pf 

- atm 

r  hE  M  ft  M'  :  P' 

M^M'  r  hi  M'  fr  M"  :  P 

- whr 

r  f-E  M  fr  Af"  :  P 


Conversion  to  atomic  objects 


c:A  in  E 

- con 

f  b£  c  i  c  :  A 


x:A  in  T 

- var 

T  x  i  x  :  A 


r  M  i  Mf  :  Ux:A.  B  T  N  ft  Nf  :  A 
- app 

r  M  N  I  M'  Nf  :  [Mf/x)B 


Conversion  to  canonical  types 


T  hE  A  ft  A!  :  type  T,  x:A /  hE  B  ft  B*  :  type 

T  II: x:A.  B  ft  IIa;:^4'.  Bf  :  type 


P‘ 


T  hfc  P  |  P'  :  type 

- atm 

r  f-E  P  ft  P'  :  type 
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Conversion  to  atomic  types 


a:K  in  E 

- con 

T  bE  a  |  a  :  K 

r  hE  A  I  A'  :  ILr:£.  K  T  he  M  ft  Af'  :  B 

- app 

r  bE  >1  M  I  A'  M'  :  [A/'/*] 

We  show  only  the  relevant  properties  for  canonical  forms  on  objects — atomic 
forms,  types,  and  kinds  satisfy  similar  properties. 

7.3.  Theorem  (Convertibility). 

1.  IfT  bE  M  ft  M'  :  A  then  T  hE  M'  ft  A. 

2.  If  F  bE  M  ft  M'  :  A  then  T  bE  M  =  Mf  :  A. 

3.  IfThzM\A  then  there  is  a  unique  Mf  such  that  T  bE  M  ft  A/'  :  A. 

4-  r  he  M  =  M'  :  A  iff  r  hz  M  ft  N  :  A  and  F  bE  A/'  ft  Ar  :  >1  /or  some  AF 

Proof.  The  first  two  properties  follow  by  simple  structural  inductions.  The  last 
two  follow  from  Coquand’s  algorithm  [Coquand  1991]  by  additional  ^-expansions. 
Related  proofs  are  given  by  Harper  and  Pfenning  [2000]  and  Virga  [1999].  □ 


8.  Conclusion 

We  have  provided  an  introduction  to  the  techniques  of  logical  frameworks  with  an 
emphasis  on  LF  which  is  based  on  the  dependency  typed  A-calculus  An.  We  now 
summarize  the  basic  choices  that  arise  in  the  design  of  logical  frameworks. 


Equational  vs.  deductive  encodings.  Logical  frameworks  based  on  rewriting  logic 
[Marti-Oliet  and  Meseguer  1993]  (variations  of  which  are  implemented  in  Maude 
[Maude  1999]  and  ELAN  [ELAN  1998,  Kirchner  et  al.  1993,  Haberstrau  1994, 
Borovansky  et  al.  1998])  are  based  on  equational  reasoning,  rewriting,  and  con¬ 
straints,  while  others  discussed  in  this  chapter  (LF,  hereditary  Harrop  formulas, 
FS0,  ALF)  are  based  on  deductive  reasoning.  It  is  clear  that  each  approach  can 
be  simulated  in  the  other,  but  usually  with  some  loss  of  clarity,  efficiency  and 
elegance  for  certain  classes  of  applications.  Rewriting  logic,  for  example,  deals  par¬ 
ticularly  well  with  concurrency,  while  it  does  not  seem  well  suited  for  situations 
where  deductions  themselves  need  to  be  reified  in  the  meta-language.  First  steps 
for  combining  ideas  from  these  classes  of  frameworks  are  the  rewriting  mechanisms 
in  Isabelle  [Nipkow  1989]  and  the  study  of  term  rewriting  in  higher-order  languages 
with  dependent  types  [Virga  1996,  Virga  1999].  For  more  on  rewriting  logic  and  its 
use  as  a  logical  framework,  see  [Meseguer  1998,  Kirchner  and  Kirchner  1998].  The 
semantic  origin  of  this  work  is  institutions  [Goguen  and  Burstall  1992];  a  connection 
is  made  by  Meseguer  [1987]. 
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Strong  vs.  weak  frameworks.  De  Bruijn,  the  founder  of  the  field  of  logical  frame¬ 
works,  argues  in  [de  Bruijn  1991a]  that  logical  frameworks  should  be  foundationally 
uncommitted  and  as  weak  as  possible.  This  allows  simple  proofs  of  adequacy  for 
encodings,  efficient  checking  of  the  correctness  of  derivations,  and  allows  effective 
algorithms  for  unification  and  proof  search  in  the  framework  which  are  otherwise 
difficult  to  design  (for  example,  in  the  presence  of  iterated  inductive  definitions). 
This  is  also  important  if  we  use  explicit  proofs  as  a  means  to  increase  confidence 
in  the  results  of  a  theorem  prover:  the  simpler  the  logical  framework,  the  more 
trusted  its  implementation  is  likely  to  be.  While  most  frameworks  are  based  on 
weak  fragments  of  intuitionistic  logic  or  type  theory,  labelled  deductive  systems  as 
proposed  by  Gabbay  [1994,  1996]  are  a  notable  exception.  They  are  based  essen¬ 
tially  on  classical,  first-order  logic  where  deductions  are  restricted  through  the  use 
of  labels  endowed  with  an  equational  theory.  Proof  search  can  proceed,  for  example, 
by  classical  resolution  techniques.  For  more  on  this  approach,  see  Chapter  XI.  This 
encoding  is  well-suited  for  modal  logics,  but  it  appears  less  immediately  applicable 
to  other  deductive  systems,  especially  those  arising  in  the  theory  of  programming 
languages. 


Inductive  representations  vs.  higher- order  abstract  syntax.  This  is  related  to  the  pre¬ 
vious  question.  Inductive  representations  of  logics  are  supported  in  FSo  [Feferman 
1988]  and  ALF  [Magnusson  and  Nordstrom  1994]  and  many  logics  not  explic¬ 
itly  designed  as  logical  frameworks  such  as  Nuprl  [Basin  and  Constable  1993], 
LEGO  [Pollack  1994],  Coq  [Dowek,  Felty,  Herbelin,  Huet,  Murthy,  Parent,  Paulin- 
Mohring  and  Werner  1993],  and  Isabelle/HOL  [Paulson  1993].  They  allow  a  for¬ 
mal  development  of  the  met  a- theory  of  the  deductive  system  in  question,  but 
the  encodings  are  less  direct  than  for  frameworks  employing  higher- order  ab¬ 
stract  syntax  and  functional  representations  of  hypothetical  derivations.  These  are 
the  foundation  of  LF  (underlying  Elf)  and  hereditary  Harrop  formulas  (underly¬ 
ing  AProlog  and  Isabelle).  Present  work  on  combining  advantages  of  both  either 
employ  reflection  [Despeyroux  et  al.  1997,  Leleu  1998]  or  formal  meta-reasoning 
about  the  logical  framework  itself  [McDowell  and  Miller  1997,  Schiirmann  and 
Pfenning  1998,  Schiirmann  2000]. 

Logical  vs.  type-theoretic  meta-languages.  A  logical  meta-language  such  as  one 
based  on  hereditary  Harrop  formulas  encodes  judgments  as  propositions.  Search 
for  a  derivation  in  an  object  logic  is  reduced  to  proof  search  in  the  meta-logic. 
In  addition,  type-theoretical  met  a- languages  such  as  LF  offer  a  representation  for 
derivations  as  objects.  Checking  the  correctness  of  a  derivation  is  reduced  to  type¬ 
checking  in  the  meta-language.  This  is  a  decidable  property  that  enables  the  use  of 
a  logical  framework  for  applications  such  as  proof-carrying  code,  where  an  explicit 
representation  for  deductions  is  required  (see  Section  8.2). 

Functional  vs.  logical  meta-programming.  ML  has  originally  been  designed  as  a 
meta-language  to  program  theorem  provers  for  complex  logics.  It  is  still  used  in  this 
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capacity  in  many  theorem  proving  environments  and  logical  frameworks,  including 
Isabelle.  The  strategy  language  of  ELAN  is  similar,  but  has  rich  primitives  for  non- 
deterministic  search  which  have  to  be  programmed  in  ML,  a  sequential  language. 
The  functional  meta-language  approach  has  the  disadvantage  that  the  programmer 
must  deal  with  many  languages:  the  object  logic,  the  logical  framework,  and  the 
implementation  language  of  the  logical  framework.  A  more  uniform  approach  is 
to  directly  give  an  operational  semantics  to  the  logical  framework  in  the  spirit 
of  abstract  logic  programming  [Miller  et  al.  1991].  This  makes  it  quite  easy  to 
program  algorithms,  but  this  approach  has  some  drawbacks  when  it  comes  to  user 
interaction. 


8.1.  Framework  extensions 

Logical  framework  languages  are  judged  along  many  dimensions,  as  the  discus¬ 
sions  above  indicate.  Three  of  the  most  important  concerns  are  how  directly  object 
languages  may  be  encoded,  how  easy  it  is  to  prove  the  adequacies  of  these  encod¬ 
ings,  and  how  simple  the  proof  checker  for  a  logical  framework  can  be.  A  great 
deal  of  practical  experience  has  been  accumulated,  for  example,  through  the  use 
of  AProlog,  Isabelle,  and  Elf.  These  experiments  have  also  identified  certain  short¬ 
comings  in  the  logical  frameworks,  some  of  them  have  even  led  to  explicit  negative 
results  [Gardner  1992].  We  briefly  summarize  some  of  the  current  research  on  refin¬ 
ing  or  extending  logical  frameworks.  Any  proposed  extension  must  carefully  weigh 
the  benefits  for  classes  of  applications  against  the  complications  it  introduces  into 
the  met  a- theory. 


Substructural  extensions.  Frameworks  such  as  hereditary  Harrop  formulas  or  LF 
can  encode  linear  and  other  substructural  logics  [Girard  1987],  but  their  encodings 
are  not  as  direct  as  one  might  hope.  The  reason  is  that  linear  assumptions  (each  of 
which  must  be  used  exactly  once)  can  not  be  modeled  as  hypotheses  in  the  meta¬ 
language  (which  satisfy  weakening  and  contraction).  For  similar  reasons,  the  store 
in  the  encoding  of  an  imperative  programming  language  cannot  be  modeled  via  hy¬ 
potheses  on  the  values  of  the  cells  in  the  store.  The  linear  frameworks  Forum  and 
linear  LF  have  been  designed  to  overcome  these  limitations.  Forum  [Miller  1994] 
is  based  on  classical  linear  logic  and  extends  hereditary  Harrop  formulas.  Chirimar 
[1995]  shows  how  to  apply  Forum  to  the  theory  of  imperative  programming  lan¬ 
guages.  Linear  LF  [Cervesato  and  Pfenning  1997]  is  a  conservative  extension  of  LF 
with  linear  hypotheses.  The  desirable  properties  of  LF  are  retained  when  the  new 
connectives  are  restricted  to  linear  implication,  additive  conjunction,  and  additive 
truth.  Unlike  Forum,  the  connectives  are  interpreted  intuitionistically,  which  allows 
proof  terms  with  decidable  equality  and  type-checking  relations  to  reify  linear  de¬ 
ductions  and  imperative  computations.  Applications  to  imperative  programming 
can  be  found  in  [Cervesato  1996],  applications  to  cut-elimination  in  both  classical 
and  intuitionistic  sequent  calculi  are  given  in  [Pfenning  19946]. 
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Subtyping.  In  many  cases  an  object  language  or  logic  exhibits  natural  subtyping 
relationships.  For  example,  deductions  in  normal  form  may  be  considered  a  subtype 
of  arbitrary  natural  deductions.  In  the  absence  of  subtyping,  these  can  be  coded 
either  as  explicit  higher-level  judgments  or  via  explicit  coercions,  in  both  cases 
often  significantly  complicating  the  representation.  In  [Pfenning  1993],  we  have 
proposed  an  extension  of  LF  to  permit  a  simple  and  decidable  subtyping  judgment. 
Despite  its  relative  simplicity  it  complicates  unification  and  proof  search  [Kohlhase 
and  Pfenning  1993]  and  the  pragmatic  consequences  are  unclear  at  present.  Other 
approaches  for  general  type  theories  have  also  been  proposed  recently  [Aspinall 
and  Compagnoni  1996],  but  their  practicality  in  the  context  of  logical  frameworks 
is  untested. 


Polymorphism.  Both  Isabelle  and  AProlog  allow  polymorphism  in  the  presentation 
of  logics;  in  the  case  of  Isabelle  this  includes  sort  restrictions  on  type  variables.  Like 
subtyping,  polymorphism  significantly  complicates  unification  and  proof  search. 
Adequacy  of  encodings  using  higher-order  abstract  syntax  is  also  more  difficult  to 
prove,  since  the  notion  of  77-long  form  is  more  complex  [Dowek,  Huet  and  Werner 
1993,  Ghani  1997]  and  not  preserved  under  substitution  for  type  variables.  On 
the  other  hand,  polymorphism  avoids  code  duplication — a  similar  effect  might  be 
achieved  with  module  systems  instead. 


Module  languages.  The  modular  presentation  of  logical  systems  has  always  been 
considered  important.  For  Automath,  de  Bruijn  has  proposed  the  notion  of 
telescope  [de  Bruijn  19916]  as  a  modularity  mechanism.  For  pure  type  sys¬ 
tems  [Barendregt  1992]  (which  include  An  as  a  subcalculus)  Courant  [1997,  1999] 
has  described  a  general  module  calculus.  The  modular  presentation  of  logics  has 
been  investigated  in  [Harper,  Sannella  and  Tarlecki  1989a,  Harper,  Sannella  and 
Tarlecki  19896,  Harper,  Sannella  and  Tarlecki  1994]  and  cast  in  a  concrete  module 
language  for  Elf  in  [Harper  and  Pfenning  1998]  following  the  ideas  of  signatures  and 
functors  in  ML.  Rewriting  logic  also  explicitly  supports  logic  morphisms  within  a 
flexible  module  language  based  on  [Meseguer  1987].  The  notion  of  theory  in  Isabelle 
provides  another  structuring  mechanism  [Nipkow  1993].  The  module  language  for 
AProlog  is  more  concerned  with  the  operational  semantics  and  search  spaces  while 
remaining  based  on  solid  logical  foundations  [Miller  1986,  Miller  1989,  Nadathur 
and  Tong  1999]. 


8.2.  Proof- carrying  code 

An  important  recent  application  of  logical  frameworks  is  the  notion  of  proof- carrying 
code  (PCC)  [Necula  1997]  and  certifying  compilation  [Necula  1998,  Necula  and  Lee 
1998a].  Proof-carrying  code  is  a  safety  infrastructure  for  mobile  code  and  operating 
system  extension.  A  code  producer  supplies  not  only  a  binary  executable  but  also 
a  proof  of  its  safety  according  to  some  predetermined  safety  policy.  This  proof  is 
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expressed  as  an  object  in  the  LF  logical  framework,  although  other  type-theoretic 
frameworks  could  be  used  as  well.  The  code  consumer  downloads  the  binary  and 
proof  object  and  checks  the  safety  proof  against  the  binary.  This  is  accomplished 
by  generating  a  verification  condition  A  from  the  binary  in  a  single,  linear  sweep 
and  then  checking  the  proof  object  M  against  the  verification  condition  by  simple 
LF  type-checking,  M  :  A. 

A  safety  policy  is  expressed  by  a  verification  condition  generator  and  an  LF 
signature  which  encodes  the  proof  rules  for  verification  conditions.  Examples  of 
such  safety  policies  are  type  safety  and  memory  safety,  guaranteeing  that  a  program 
will  not  access  memory  outside  its  address  space  [Necula  1998].  Another  example  is 
resource  bounds  in  operating  systems  extensions  such  as  packet  filters  [Necula  and 
Lee  1996]. 

Since  both  the  verification  condition  generator  and  the  LF  type-checker  are  rel¬ 
atively  small  (compared  to  compilers  or  theorem  provers),  the  trusted  computing 
base  of  this  architecture  is  quite  small.  The  use  of  a  logical  framework  where  de¬ 
ductions  are  reified  as  objects  allows  one  single  implementation  to  support  multiple 
safety  policies  and  proof  rules,  increasing  trust  in  the  reliability  of  the  architecture, 
especially  since  the  properties  of  LF  are  well  understood  and  thoroughly  investi¬ 
gated. 

The  realization  of  proof-carrying  code  raised  some  interesting  directions  for  the 
development  of  logical  frameworks.  Here  we  consider  two:  how  do  we  generate  proof 
objects  and  how  can  we  eliminate  redundancy  from  LF  objects  to  achieve  compact 
encodings  of  proofs? 

The  generation  of  proof  objects  is  the  task  of  a  certifying  compiler  which  takes 
advantage  of  properties  of  the  source  language  to  generate  annotations  on  the  as¬ 
sembly  code.  In  case  of  the  Touchstone  compiler  [Necula  1998],  this  is  a  safe  subset 
of  C.  The  annotations  guarantee  that  a  specialized  theorem  prover  has  enough  infor¬ 
mation  to  derive  the  verification  condition  for  the  binary.  The  specialized  theorem 
prover  maintains  enough  information  to  generate  LF  proof  objects  with  respect  to 
the  axioms  and  inference  rules  available  for  the  given  safety  policy.  For  type  and 
memory  safety,  this  has  been  shown  to  be  practical,  including  a  proof- generating 
version  of  the  simplex  algorithm  described  in  [Necula  1998].  Thus,  the  theorem 
prover  as  a  whole  does  not  need  to  be  trusted,  since  it  generates  derivations  which 
can  be  verified  independently. 

The  second  question  concerns  the  elimination  of  redundancy  in  the  LF  represen¬ 
tation  of  derivations.  A  first  proposal  in  this  direction  for  the  Elf  logic  programming 
language  was  made  in  [Michaylov  and  Pfenning  1992].  In  PCC,  the  representation 
can  be  further  optimized  [Necula  and  Lee  19986]  since  the  main  operation  we  are 
concerned  with  is  type- checking,  while  Elf  has  to  support  unification  and  proof 
search.  The  principle,  however  is  the  same  and  goes  back  to  the  notion  of  strict¬ 
ness  in  functional  languages.  This  has  been  analyzed  by  Pfenning  and  Schiirmann 
[1998a]. 
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8.3.  Further  reading 

There  have  been  numerous  case  studies  and  applications  carried  out  with  the  aid  of 
logical  frameworks  or  generic  theorem  provers,  too  many  to  survey  them  here.  The 
principal  application  areas  lie  in  the  theory  of  programming  languages  and  logics, 
reasoning  about  specifications,  programs,  and  protocols,  and  the  formalization  of 
mathematics.  We  refer  the  interested  reader  to  [Pfenning  1996]  for  some  further  in¬ 
formation  on  applications  of  logical  frameworks.  A  survey  with  deeper  coverage  of 
modal  logics  and  inductive  definitions  can  be  found  in  [Basin  and  Matthews  2000] . 
The  textbook  [Pfenning  2001]  provides  a  gentler  and  more  thorough  introduction  to 
the  pragmatics  of  the  LF  logical  framework  and  its  use  for  the  study  of  programming 
languages.  The  author  also  maintains  a  home  page  on  logical  frameworks  [Logical 
Frameworks  1994]  at  http :  //www .  cs .  emu. edu/~fp/lf  s . html  which  is  periodically 
updated,  and  which  contains  a  more  extensive  bibliography  and  pointers  to  imple¬ 
mentations,  mailing  lists,  and  related  material. 
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